Logical Abstract Interpretation

1
Logical Abstract Interpretation

• Sumit Gulwani
• Microsoft Research, Redmond

2
Final Goal of the class

• Automatically verify partial correctness of
  programs like the following using abstract
  interpretation.
• Void Init(int A, int n)
• for (i 0 iltn i)
• Ai 0
• for (j 0 jltn j)
• Assert(Aj 0)

3
Outline

• Decision Procedures
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Logical Abstract Interpretation
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Universally Quantified Formulas
• Hardness of Assertion Checking
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns

4
Decision Procedures

• DPT(?) Yes, if ? is satisfiable
• No, if ? is unsatisfiable
• Without loss of generality, we can assume that ?
  is a conjunction of atomic facts.
• Why?
• DP(?1Ç?2) is sat iff DP(?1) is sat or DP(?2) is
  sat
• What is the trade-off?
• Converting ? into DNF may incur exponential
  blow-up

5
Outline

• Decision Procedures
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Logical Abstract Interpretation
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Universally Quantified Formulas
• Hardness of Assertion Checking
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns

6
Linear Arithmetic

• Expressions e y c e1 e2 c e
• Atomic facts g e0 e?0
• Note that e0 can be represented as e0 Æ e0
• egt0 can be represented as e-10
• (over integer LA)
• The decision problem for integer LA is NP-hard.
• The decision problem for rational LA is PTime.
• PTime algorithms are complicated to implement.
  Popular choice is an exponential algorithm called
  Simplex
• We will study a PTime algorithm for a special
  case.

7
Difference Constraints

• A special case of Linear Arithmetic
• Constraints of the form xc and x-yc
• We can represent xc by x-uc, where u is a
  special zero variable. Wlog, we will assume
  henceforth that we only have constraints x-yc
• Reasoning required x-yc1 Æ y-zc2 ) x-zc1c2
• O(n3) (saturation-based) decision procedure
• Represent contraints by a matrix Mnn
• where Mij c represents xixj c
• Perform transitive closure of M
• Mij min Mij, MikMkj
• ? is unsat iff 9i Mii lt 0

8
Outline

• Decision Procedures
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Logical Abstract Interpretation
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Universally Quantified Formulas
• Hardness of Assertion Checking
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns

9
Uninterpreted Functions

• Expressions e x F(e1,e2)
• Atomic fact g e1e2 e1?e2
• Axiom 8e1,e2,e1,e2 e1e1 Æ e2e2 )
  F(e1,e2)F(e1,e2)
• (called congruence axiom)
• (saturation-based) Decision Procedure
• Represent equalities e1e2 2 G in Equivalence DAG
  (EDAG)
• Nodes of an EDAG represent congruence classes of
  expressions that are known to be equal.
• Saturate equalities in the EDAG by following
  rule
• If C(e1)C(e1) Æ C(e2)C(e2), Merge
  C(F(e1,e2)), C(F(e1,e2))
• where C(e) denotes congruence class of expression
  e
• Declare unsatisfiability iff 9 e1?e2 in G s.t.
  C(e1) C(e2)

10
Uninterpreted Functions Example
yF5(y)
y?F(y)
yF3(y)
Æ
Æ
F
F
F(y)F4(y)
F
F2(y)F5(y)
F
yF2(y)
F
F(y)F3(y)
y
yF(y)
? unsat
11
Uninterpreted Functions Complexity

• Complexity of congruence closure O(n log n),
  where n is the size of the input formula
• In each step, we merge 2 congruence classes. The
  total number of steps required is thus n, where n
  is a bound on the original number of congruence
  classes.
• The complexity of each step can be O(log n) by
  using union-find data structure

12
Outline

• Decision Procedures
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Logical Abstract Interpretation
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Universally Quantified Formulas
• Hardness of Assertion Checking
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns

13
Combination of Linear Arithmetic and
Uninterpreted Functions

• Expressions e y c e1 e2 c e
  F(e1,e2)
• Atomic Facts g e0 e?0
• Axioms Combined axioms of linear arithmetic
  uninterpreted fns.
• Decision Procedure Nelson-Oppen methodology for
  combining decision procedures

14
Combining Decision Procedures

• Nelson-Oppen gave an algorithm in 1979 to combine
  decision procedures for theories T1 and T2,
  where
• T1 and T2 have disjoint signatures
• except equality
• T1, T2 are stably infinite
• Complexity is O(2n2(W1(n)W2(n)).
• If T1, T2 are convex, complexity is
  O(n3(W1(n)W2(n)).
• The theories of linear arithmetic and
  uninterpreted functions satisfy all of the above
  criterions.

15
Convex Theory

• A theory is convex if the following holds.
• Let G g1 Æ Æ gn
• If G ) e1e2 Ç e3e4, then G ) e1e2 or G ) e3e4
• Examples of convex theory
• Rational Linear Arithmetic
• Uninterpreted Functions

16
Examples of Non-convex Theory

• Theory of Integer Linear Arithmetic
• Theory of Arrays

ysel(upd(M,a,0),b) ) y0 Ç ysel(M,b) But
ysel(upd(M,a,0),b) ) y0 and
ysel(upd(M,a,0),b) ) ysel(M,b)
/
/
17
Stably Infinite Theory

• A theory T is stably infinite if for all
  quantifier-free formulas ? over T, the following
  holds
• If ? is satisfiable, then ? is satisfiable
  over an infinite model.
• Examples of stably infinite theories
• Linear arithmetic, Uninterpreted Functions
• Examples of non-stably infinite theories
• A theory that enforces finite of distinct
  elements. Eg., a theory with the axiom 8x,y,z
  (xy Ç xz Ç yz). Consider the quantifier free
  formula ? y1y2.
• ? is satisfiable but doesnt have an
  infinite model.

18
Nelson-Oppen Methodology

• Purification Decompose ? into ?1 Æ ?2 such that
  ?i contains symbols from theory Ti.
• This can be done by introducing dummy variables.
• Exchange variable equalities between ?1 and ?2
  until no more equalities can be deduced.
• Sharing of disequalities is not required because
  of stably-infiniteness.
• Sharing of disjunctions of equalities is not
  required because of convexity.
• ? is unsat iff ?1 is unsat or ?2 is unsat.

19
Combining Decision Procedures Example
y1 4y3 F(2y2-y1) Æ y1F(y1) Æ y2F(F(y1))
Æ y1?4y3
Purification
a12y2-y1 y14y3a2 Æ y1?4y3 y1 y2 y1 a2
a2F(a1) y1F(y1) Æ y2F(F(y1)) y1 a1
Saturation
? unsat
20
Outline

• Decision Procedures
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Logical Abstract Interpretation
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Universally Quantified Formulas
• Hardness of Assertion Checking
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns

21
Logical Abstract Interpretation

• Abstract Interpretation of a program involves
  interpreting the program over abstract values
  from some abstract domain D equipped with a
  partial order ¹
• Logical Abstract Interpretation refers to the
  case when
• D logical formulas over theory T
• ¹ logical implication relationship, i.e., E ¹
  E iff E )T E
• We will study following examples of logical
  interpretation
• D consists of finite conjunctions of atomic facts
  over T.
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Functions
• D consists of universally quantified formulas
  over T.

22
Transfer Functions for Logical Abstract
Interpreter

• An abstract interpreter computes abstract values
  or facts at each program point from facts at
  preceding program points using appropriate
  transfer fns.

• Transfer functions for a logical abstract
  interpreter thus involve providing operators for
  over-approximating disjunction and existential
  quantifier elimination.

23
Fixed-point Computation

• In presence of loops, fixed-point computation is
  required. The process is accelerated by using a
  widening operator, which takes the facts in the
  current and previous iteration (at some point
  inside a loop) and generates something weaker
  than the current fact.
• A widening operator should guarantee convergence
  in a bounded number of steps.
• Widening is typically applied at loop header
  points.
• Facts generated after fixed-point are invariants
  and can be used to validate assertions using
  decision procedures.

G
assert(g)
Validate iff GÆ g is unsat
24
Initialization

• The fact at program entry is initialized to gt,
  which in our setting is the logical formula
  true.
• This denotes that we make no assumptions about
  inputs, and whatever we prove will be valid for
  all inputs.
• The facts at all other program points are
  initialized to ?, which in our setting is the
  logical formula false.
• This denotes our optimistic assumption of
  unreachability of program locations (unless we
  can prove them reachable in the process of
  fixed-point computation).

25
Outline

• Decision Procedures
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Logical Abstract Interpretation
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Universally Quantified Formulas
• Hardness of Assertion Checking
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns

26
Difference Constraints

• Abstract element
• conjunction of xi-xj cij
• can be represented using matrix M, where
  Mijcij
• Decide(M)
• M Saturate(M)
• Declare unsat iff 9i Mii lt 0
• Join(M1, M2)
• M1 Saturate(M1) M2 Saturate(M2)
• Let M3 be s.t. M3ij Max M1ij,
  M2ij
• return M3

27
Difference Constraints

• Eliminate(M, xi)
• M Saturate(M)
• Let M1 be s.t. M1jk 1 (if ji or ki)
  Mjk otherwise
• return M1
• Widen(M1, M2)
• M1 Saturate(M1) M2 Saturate(M2)
• Let M3 be s.t. M3ij M1ij (if M1ij
  M2ij)) 1 (otherwise)
• return M3

28
Difference Constraints Example
true
y 0 z 2
y0, z2
?
y0 Æ z2
?
0y1 Æ zy2
0y2 Æ zy2
0y Æ zy2
0ylt51 Æ zy2
1ylt51 Æ zy2
1y2 Æ zy2
y1 Æ z3
?
y lt 50
y50 Æ zy2
False
True
Assert (z52)
y0 Æ z2
0y1 Æ zy2
0ylt50 Æ zy2
?
y z
29
Outline

• Decision Procedures
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Logical Abstract Interpretation
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Universally Quantified Formulas
• Hardness of Assertion Checking
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns

30
Uninterpreted Functions

• Abstract element
• conjunction of e1e2, where e y F(e1,e2)
• can be represented using EDAGs
• Decide(G)
• G Saturate(G)
• Declare unsat iff G contains e1 ? e2 and G has
  e1, e2 in the same congruence class.
• Eliminate(G, y)
• G Saturate(G)
• Erase y (might need to delete some dangling
  expressions)
• return G

31
Uninterpreted Functions

• Join(G1, G2)
• G1 Saturate(G1) G2 Saturate(G2)
• G Intersect(G1, G2)
• return G
• For each node n ltU, ni,nigt in G 1
• and node m ltV, mj, mjgt in G2,
• G contains a node n,m ltU Å V, ni,
  mj, ni,mjgt

32
Uninterpreted Functions Example of Join
G1
G2
G Join(G1,G2)
33
Outline

• Decision Procedures
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Logical Abstract Interpretation
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Universally Quantified Formulas
• Hardness of Assertion Checking
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns

34
Combination Decision Procedure

• DP(E12)
• ltE1, E2gt PurifySaturate(E12)
• Return DPT1(E1) Æ DPT2(E2)

35
Combination Join Algorithm

• JoinT12(L12, R12)
• ltL1, L2gt PurifySaturate(L12) ltR1, R2gt
  PurifySaturate(R12)
• DL Æ viltvi,vjgt vi2Vars(L1ÆL2),
  vj2Vars(R1ÆR2) DR Æ vjltvi,vjgt
  vi2Vars(L1ÆL2), vj2Vars(R1ÆR2)
• L1 L1 Æ DL R1 R1 Æ DR L2 L2 Æ
  DL R2 R2 Æ DR
• A1 JoinT1(L1, R1) A2 JoinT2(L2,
  R2)
• V Vars(A1ÆA2) Program Variables
  A12 EliminateT12(A1ÆA2, V)
• Return A12

36

Combination Example of Join Algorithm
za-1 Æ yF(a)
zb-1 Æ yF(b)
Joinufla
za-1 aha,bi
yF(a) aha,bi
zb-1 bha,bi
yF(b) bha,bi
Joinuf
Joinla
ha,bi1z
yF(ha,bi)
Eliminateufla
ha,bi
yF(1z)
37
Combination Existential Quantifier Elimination

• ElimintateT12(E12, V)
• ltE1, E2gt PurifySaturate(E12)
• ltD, Defsgt DefSaturate(E1, E2, V Temp
  Variables)
• V V Temp Variables D E1
  EliminateT1(E1, V) E2 EliminateT2(E2,
  V)
• E (E1 Æ E2) Defs(y)/y
• Return E
• DefSaturate(E1, E2, U) returns the set of all
  variables D that have definitions Defs in terms
  of variables not in U as implied by E1 Æ E2.

38

Combination Example of Existential Elimination
aby Æ zc1 Æ aF2(b) Æ cF(b)
a, b, c
Eliminateufla
aby Æ zc1
aF2(b) Æ cF(b)
Defla
Defuf
b
Eliminatela
Eliminateuf
c ? z-1 a ?F(z-1)
a y Æ zc1
a F(c)
Substitute
F(z-1) y
39
Abstract Interpretation over Combined Domain
Example
true
struct List struct List next x, y N(z)
0, if z null 1 N(z!next)
y x i 0
yx, i0
?
0i1 N(x)N(y)i
0i2, N(x)N(y)i
0i, N(x)N(y)i
1i2, N(x)N(y)i
?
yx, i0
1i, N(x)N(y)i
yx!next, i1, x?null N(x)N(x!next)1
?
y?null
0i1, y ? null N(x)N(y)i
0i, y ? null N(x)N(y)i
?
yx, i0, y?null
i i1 y y!next
40
Outline

• Decision Procedures
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Logical Abstract Interpretation
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Universally Quantified Formulas
• Hardness of Assertion Checking
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns

41
Universally Quantified Abstract Domain

• Abstract element is of the form E Æ Æi(8X Ai)Bi)
• where E, Ai, Bi are from some underlying base
  domain(s) D.
• The partial order ¹ is a refinement of the more
  natural implication relationship.
• E Æ Æi(8X Ai)Bi) ¹ E Æ Æj(8X Aj)Bj)
  iff
• E ) E
• 8j 9i s.t. EÆAj)Ai and EÆBi)Bj
• Another way to state the above thing would be to
  say that the partial order is still the
  implication relationship but transfer functions
  are incomplete.

42
Quantified Abstract Domain Join Algorithm

• Consider a simpler case first.
• Let (E Æ 8XA)B) Join(E1 Æ 8XA1)B1, E2
  Æ 8XA2)B2). Then,
• (E1 Æ 8XA1)B1) ¹ (E Æ 8XA)B)
• (E2 Æ 8XA2)B2) ¹ (E Æ 8XA)B)
• Or, equivalently,
• E1)E and E2)E. Thus, E Join(E1, E2).
• E1ÆA)A1 and E2ÆA)A2, i.e., A ) (E1)A1 Æ E2)A2).
  Thus, A bE1)A1 Æ E2)A2c.
• E1ÆB1 ) B and E2ÆB2 ) B. Thus, B Join(E1ÆB1,
  E2ÆB2).
• Join(E1 Æ Æi(8X A1i)B1i), E2Æ Æi(8X A2i)B2i))
• result JoinD(E1, E2)
• Forall i,j
• A bE1)A1i Æ E2)A2jc B
  JoinD(E1ÆB1i, E2ÆB2j)
• result result Æ 8XA)B
• return result

43
Quantified Abstract Domain Example of Join

• Let G1 (i0 Æ 8k k0 ) Fki)
• G2 (i1 Æ 8k 0k1 ) Fk0)
• Then Join(G1, G2) 0i1 Æ 8k A)B, where
• A b(i0)k0) Æ (i1)0k1)c 0ki
• B JoinD(i0 Æ Fki, i1 Æ Fk0) Fk0

44
Quantified Abstract Domain Eliminate

• Let (E Æ 8XA)B) Eliminate(E Æ 8XA)B, s).
  Then,
• (E Æ 8XA)B) ¹ (E Æ 8XA)B) among other
  things.
• For simplicity, assume that s doesnt affect
  terms in A,B involving X. Then,
• E)E and E doesnt contain any term affected by
  change to s.
• Thus, E EliminateD(E,s).
• EÆA)A and A doesnt contain any term affected by
  change to s.
• Thus, A b8sE)Ac.
• EÆB)B and B doesnt contain any term affected
  by change to s.
• Thus, B EliminateD(EÆB, s).

45
Quantified Abstract Domain Eliminate

• Eliminate(G, s)
• Let G be E Æ 8XA)B
• Psuedo-code can be easily extended for multiple 8
• T e e occurs in A or B Vars(e) Å X ?
• A A Æ Æe2T NotEffect(lts,Ggt, e)
• E EliminateD(E,s)
• B EliminateD(BÆE,s)
• A b8sE)Ac
• return (E Æ 8X A)B)
• NotEffect(lts,Ggt, e) denotes a constraint g s.t.
  GÆg implies that s does not affect e.

46
Quantified Abstract Domain Example of Eliminate

• Let G (F0gt10 Æ 8k 0kltF0 ) FkgtF0 )
• Then Eliminate(G, F0) true Æ 8k A)B, where
• T k, Fk
• NotEffect(ltF0,Ggt, Fk) k?0
• NotEffect(ltF0,Ggt, Fk) true
• A1 0kltF0 Æ k ? 0 Æ true 1kltF0
• A b8F0 F0gt10 ) 1kltF0c 1klt10
• B Eliminate(FkgtF0 Æ F0gt10, F0)
  Fklt10

47
Quantified Abstract Domain Example
true
F0 0 i 1
i1 Æ F00
i1 Æ 8kk0 ) Fk0
?
2in Æ 8k 0klti ) Fk0
i2 Æ F00 Æ F10
2i3 Æ 8k 0klti ) Fk0
i2 Æ 8k0k1 ) Fk0
i1 Æ F00
?
1i2 Æ 8k 0klti ) Fk0
1i3 Æ 8k 0klti ) Fk0
1i Æ 8k 0klti ) Fk0
1i Æ 8k 0klti ) Fk0
?
i lt n
False
in Æ 8k 0klti ) Fk0
True
i1 Æ F00
1i2 Æ 8k 0klti ) Fk0
1iltn Æ 8k 0klti ) Fk0
?
i 0
Fi 0 i
i0 Æ 8k 0kltn ) Fk0
48
References

• Uninterpreted Functions
• A polynomial time algorithm for global value
  numbering SAS 2004, S. Gulwani, G. Necula
• Join algorithms for the theory of uninterpreted
  fns FSTTCS 2004, S. Gulwani, A. Tiwari, G.
  Necula
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Combining Abstract Interpreters
• PLDI 2006, S. Gulwani, A. Tiwari
• Universally Quantified Abstract Domain
• Lifting Abstract Interpreters to Quantified
  Logical Domains POPL 2008, S. Gulwani, B.
  McCloskey, A. Tiwari

49
Outline

• Decision Procedures
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Logical Abstract Interpretation
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Universally Quantified Formulas
• Hardness of Assertion Checking
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns

50
Abstract Program Model / Problem Statement

• Linear Arithmetic
• e y c e1 e2 c e g
  e0
• Uninterpreted Functions
• e y F(e1,e2) g e1e2
• Combination
• e y c e1 e2 c e F(e1,e2) g
  e0

51
Outline

• Decision Procedures
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Logical Abstract Interpretation
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Universally Quantified Formulas
• Hardness of Assertion Checking
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns

52
Assertion Checking Linear Arithmetic

• Non-deterministic Conditionals
• Equality Assertions PTIME
• Perform abstract interpretation over linear
  equalities.
• Affine relationships among variables of a
  program, Karr 76
• Inequality assertions ?
• Deterministic Conditionals Undecidable
• Even with equality conditionals and equality
  assertions
• PCP Problem can be reduced to it.
• A Note on Karrs Algorithm, H. Seidl, M.
  Muller-Olm, ICALP 2004

53
Reducing PCP Problem to Assertion Checking

• The following problem (PCP Problem) is
  undecidable. Given pairs (u1,v1), , (um,vm),
  where ui, vi 2 0,1
• Decide 9 a non-empty sequence i1, , in such
  that
• ui1 uin vi1 vin
• Given a PCP instance, we will construct an
  assertion checking problem over linear arithmetic
  such that the assertion holds iff the solution to
  PCP instance is false.

54
Reducing PCP Problem to Assertion Checking
y 1 z 1
y 2um y ltumgt z 2vm z ltvmgt
y 2u1 y ltu1gt z 2v1 z ltv1gt

yz ?
False
True
d 1
d 0
Assert (d0)
55
Outline

• Decision Procedures
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Logical Abstract Interpretation
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Universally Quantified Formulas
• Hardness of Assertion Checking
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns

56
Assertion Checking Uninterpreted Functions

• Non-deterministic Conditionals PTIME
• Abstract interpretation over uninterpreted fns.
• Deterministic Conditionals Undecidable
• PCP Problem can be reduced to it.
• Checking Herbrand Equalities and Beyond, H.
  Seidl, M. Muller-Olm, VMCAI 2005

57
Reducing PCP Problem to Assertion Checking
y 1 z 1
y um(y) z vm(z)
y u1(y) z v1(z)
Think of ui, vi as sequences of applications of
unary fns, one corresponding to 0 and other
corresponding to 1.

yz ?
False
True
d 1
d 0
Assert (d0)
58
Outline

• Decision Procedures
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Logical Abstract Interpretation
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns
• Universally Quantified Formulas
• Hardness of Assertion Checking
• Linear Arithmetic
• Uninterpreted Functions
• Combination of Linear Arithmetic and
  Uninterpreted Fns

59
Assertion Checking Combination of Linear
Arithmetic Uninterpreted Functions

• Deterministic Conditionals Undecidable
• No surprise since problem is undecidable for
  individual cases of linear arithmetic and
  uninterpreted fns.
• Non-deterministic Conditionals ? At least
  coNP-hard
• Even for equality conditionals.
• A surprising result since assertion checking for
  individual cases of linear arithmetic
  (equalities) and uninterpreted fns is PTIME, but
  not for combination.
• In contrast, decision procedures for linear
  arithmetic and uninterpreted fns can be combined
  in PTIME using Nelson-Oppen methodology.
• Assertion checking over combination of linear
  arithmetic and uninterpreted fns, S. Gulwani, A.
  Tiwari, ESOP 2006

60
Reducing Unsatisfiability to Assertion Checking

• ? boolean 3-SAT instance with m clauses
• IsUnsatisfiable(?)
• for j1 to m
• cj 0
• for i1 to k do
• if ()
• 8 j s.t. var i occurs positively in
  clause j, cj 1
• else
• 8 j s.t. var i occurs negatively in clause
  j, cj 1
• y c1 c2 cm
• Assert (y0 Ç y1 Ç ym-1)

61
Encoding disjunction

• The check y1 Ç y2 can be encoded by the
  assertion F(y) F(1)F(2)-F(3-y)).
• The above trick can be recursively applied to
  construct an assertion that encodes y0 Ç y1 Ç
  Ç ym-1
• Eg., y0 Ç y1 Ç y2 can be encoded by encoding
• F(y)F(0) Ç F(y)F(1)F(2)-F(3-y)

62
Conclusion

• We showed how logical reasoning traditionally
  used in theorem proving can be exploited in an
  abstract interpretation setting.
• We focused on conjunctive and universally
  quantified invariants over the domain of linear
  arithmetic and uninterpreted fns.
• There are several other interesting issues in
  program analysis that we did not address
• Destructive updates
• Points-to analysis, Shape analysis
• Path-sensitive analysis
• Disjunctive invariants
• Inter-procedural analysis
• Procedure summaries