Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions - PowerPoint PPT Presentation
1 / 25
Title:
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions
Description:
Guard(g,f) means if g then f. Boolean expressions g are represented using ROBDDs ... Choose(Guard(R(b),e1), Guard(R(NOT(b)),e2) 13. FCED Construction. FCED(y) ... – PowerPoint PPT presentation
Number of Views:15
Avg rating:3.0/5.0
Title: Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions
1
Path-Sensitive Analysis for Linear Arithmetic
and Uninterpreted Functions
- SAS 2004
- Sumit Gulwani George Necula
- EECS Department
- University of California, Berkeley
2
Example
All 3 asserts are true
False
True
a2?
y a z 2
y 2 z a
True
False
a2?
u 1 v 1a
u a-1 v 3
t1 y-u t2 v-z
Assert(t1t2 Æ t11 Æ z2)
3
Path-Insensitive Analysis
- Most PTIME analyses treat conditionals as
non-deterministic. - They will verify only t1t2
False
True
y a z 2
y 2 z a
True
False
u 1 v 1a
u a-1 v 3
t1 y-u t2 v-z
Assert(t1t2 Æ t11 Æ z2)
4
Path-Sensitive Analysis
- We can do better by doing a boolean abstraction
of conditionals. - Each atomic predicate is abstracted to a boolean
variable - This will also verify t11
- This is still abstract though!
- z2 not verified
- undecidable to reason completely
False
True
c1
y a z 2
y 2 z a
True
False
c1
u 1 v 1a
u a-1 v 3
t1 y-u t2 v-z
Assert(t1t2 Æ t11 Æ z2)
5
Outline
- Existing approach (MVR) vs. our approach (FCED)
- FCEDs for linear arithmetic
- FCEDs for uninterpreted function terms
6
Multi-Valued ROBDDs (MVRs)
True
False
c1
y a z 2
y 2 z a
True
False
c2
- MVR(t1) MVR(y) MVR(u)
- MVR(t1) does not share nodes with MVR(y) and
MVR(u) - Need a normal form for leaves
u 1 v 1a
u a-1 v 3
t1 y-u t2 v-z
Assert(t1t2) Assert(t11)
7
Free Conditional Expression Diagrams (FCEDs)
-
t1
True
False
c1
c1
y
c2
u
y a z 2
y 2 z a
2
a
1
a-1
True
False
c2
- FCED(t1) FCED(y) FCED(u)
- FCED(t1) shares nodes with FCED(y) and FCED(u)
- No need for normal form
u 1 v 1a
u a-1 v 3
t1 y-u t2 v-z
Assert(t1t2) Assert(t11)
8
Outline
- Existing approach (MVR) vs. our approach (FCEDs)
- FCEDs for linear arithmetic
- FCEDs for uninterpreted function terms
9
Problem Definition
- e q y e1 e2 q e if b then e1 else
e2 - b c b1 Æ b2 b1 Ç b2
- e conditional linear arithmetic expression
- b boolean formula
- y rational variable
- c boolean variable
- q rational constant
- Construct FCED for an expression e, given FCEDs
for its subexpressions. - Check 2 FCEDs for equivalence
10
FCED
- An FCED f is a DAG with the following kind of
nodes. - f y q Plus(f1,f2) Minus(f1,f2)
Times(q,f) Choose(f1,f2) Guard(g,f) - Choose(f1,f2) means f1 or f2
- Guard(g,f) means if g then f
- Boolean expressions g are represented using
ROBDDs - g true false c If(c,g1,g2)
11
Example
Formalization
12
Example
Formalization
13
FCED Construction
- FCED(y) Leaf(y)
- FCED(q) Leaf(q)
- FCED(e1e2) Plus (FCED(e1), FCED(e2))
- FCED(q e) Times(q,FCED(e))
- FCED(if b then e1 else e2)
- Choose(Guard(R(b),e1), Guard(R(NOT(b)),e2)
14
FCED Construction
- FCED(y) Leaf(y)
- FCED(q) Leaf(q)
- FCED(e1e2) Plus (FCED(e1), FCED(e2))
- FCED(q e) Times(q,FCED(e))
- FCED(if b then e1 else e2)
- Choose(R(b),FCED(e1), NOT R(b),
FCED(e2))
15
Normalize Guard Operator
- Inputs guard g, FCED f
- Output FCED f s.t.
- f f
- 8 guard nodes Guard(g,f) in f, BV(g) lt
BV(f) - g,f Guard(g,f), if BV(g) lt BV(f)
- g, Plus(f1,f2) Plus(g,f1, g, f2)
- g, Choose(f1,f2) Choose(g,f1, g, f2)
- g1, Guard(g2,f ) Guard(
INTERSECT(g1,g2),f )
16
Example Normalize Guard Operator
Given f, construct R(c1),f
plus
choose
17
Randomized Equivalence Testing for FCEDs
- Assign hash values to nodes of FCEDs in bottom-up
manner - V FCED Node ! Integer
- V(Leaf(q)) q
- V(Leaf(y)) ry
- V(Plus(f1,f2)) V(f1) V(f2)
- V(Choose(f1,f2)) V(f1) V(f2)
- V(Guard(g,f)) H(g) V(f)
- H Guard ! Integer
- H(true) 1, H(false) 0
- H(c) rc
- H(If(c,g1,g2)) rc H(g1) (1-rc) H(g2)
18
Randomized Equivalence Testing for FCEDs
- Completeness
- f1 f2 ) V(f1) V(f2)
- Soundness
- f1 f2 ) PrV(f1) V(f2) s/t
- s maximum of nodes in a FCED
- t size of set from which random values are
chosen - Proof 9 1-1 Poly FCED ! Polynomials such that
V(f) is the value of Poly(f)
19
Outline
- Existing approach (MVR) vs. our approach (FCEDs)
- FCEDs for linear arithmetic
- FCEDs for uninterpreted function terms
20
Problem Definition
- e y F(e1,e2) if b then e1 else e2
- b c b1 Æ b2 b1 Ç b2
- e conditional uninterpreted function term
- b boolean formula
- y variable
- c boolean variable
- Construct FCED for an expression e, given FCEDs
for its subexpressions. - Check 2 FCEDs for equivalence
21
FCED
- An FCED f is a DAG with the following kind of
nodes. - f y F(f1,f2) Choose(f1,f2) Guard(g,f)
- Choose(f1,f2) means f1 or f2
- Guard(g,f) means if g then f
- Boolean expressions g are represented using
ROBDDs - g true false c If(c,g1,g2)
22
FCED Construction
- FCED(y) Leaf(y)
- FCED(F(e1,e2)) F(FCED(e1), FCED(e2))
- FCED(if b then e1 else e2) Choose(R(b),FCED(e1
), NOT R(b), FCED(e2))
23
Randomized Equivalence Testing of FCEDs
- Assign hash values to nodes of FCEDs in bottom-up
manner - V FCED Node ! Tuple of k integers
- K depth of any FCED
- V(y) ry,ry
- V(Choose(f1,f2)) V(f1) V(f2)
- V(Guard(g,f)) H(g) V(f)
- V(F(f1,f2)) V(f1) M V(f2) N
- M, N random k k matrices
24
Randomized Equivalence Testing for FCEDs
- Completeness
- f1 f2 ) V(f1) V(f2)
- Soundness
- f1 f2 ) PrV(f1) V(f2)
- s maximum of nodes in a FCED
- t size of set from which random values are
chosen - Proof more involved
25
Conclusion and Future Work
- Randomization can help achieve simplicity and
efficiency at the expense of making soundness
probabilistic. - Integrate randomized techniques with symbolic
algorithms - Few interesting possible extensions
- Combination of uninterpreted functions with
arithmetic - Partially interpreted functions like commutative
and/or associative functions - Model memory
Recommended
CrystalGraphics Presentations
