Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions

1
Path-Sensitive Analysis for Linear Arithmetic
and Uninterpreted Functions

• SAS 2004
• Sumit Gulwani George Necula
• EECS Department
• University of California, Berkeley

2
Example
All 3 asserts are true
False
True
a2?
x a y 2
x 2 y a
True
False
a2?
u 1 v 1a
u a-1 v 3
t1 x-u t2 v-y
Assert(t1t2 Æ t11 Æ y2)
3
Path-Insensitive Analysis

• Most PTIME analyses treat conditionals as
  non-deterministic.
• They will verify only t1t2

False
True

x a y 2
x 2 y a
True
False

u 1 v 1a
u a-1 v 3
t1 x-u t2 v-y
Assert(t1t2 Æ t11 Æ y2)
4
Path-Sensitive Analysis

• We can do better by modeling conditionals as
  boolean formulas.
• Each atomic predicate is abstracted to a boolean
  variable
• They will also verify t11
• This is still abstract though!
• y2 not verified
• undecidable to reason completely

False
True
c1
x a y 2
x 2 y a
True
False
c1
u 1 v 1a
u a-1 v 3
t1 x-u t2 v-y
Assert(t1t2 Æ t11 Æ y2)
5
Multi-Valued ROBDDs (MVRs)
c1
t1
True
False
c1
c2
c1
x
c2
u
c2
x a y 2
x 2 y a
1
a
0
a-1
1
-a3
a-1
1
True
False
c2

• MVR(t1) MVR(x) MVR(u)
• MVR(t1) does not share nodes with MVR(x) and
  MVR(u)
• Need a normal form for leaves

u 1 v 1a
u a-1 v 3
t1 x-u t2 v-y
Assert(t1t2) Assert(t11)
6
Free Conditional Expression Diagrams (FCEDs)
-
t1
True
False
c1
c1
x
c2
u
x a y 2
x 2 y a
1
a
0
a-1
True
False
c2

• FCED(t1) FCED(x) FCED(u)
• FCED(t1) shares nodes with FCED(x) and FCED(u)
• No need for normal form

u 1 v 1a
u a-1 v 3
t1 x-u t2 v-y
Assert(t1t2) Assert(t11)
7

• FCEDs for Linear Arithmetic

8
FCED Construction

Formalization
c1
c2
1
a
0
a-1

• FCED(x) Leaf(x)
• FCED(n) Leaf(n)
• FCED(e1e2) Plus (FCED(e1), FCED(e2))
• FCED(if b then e1 else e2)
  Choose(R(b),FCED(e1), NOT R(b), FCED(e2))

9
Normalize Guard Operator
g,f Guard(g,f), if BV(g) lt BV(f) g,
Plus(f1,f2) Plus(g,f1, g, f2) g,
Choose(f1,f2) Choose(g,f1, g,
f2) g1, Guard(g2,f ) Guard(
INTERSECT(g1,g2),f )
10
Example Normalize Guard Operator
Given f, construct R(c1),f
Plus

choose
choose
guard
guard
guard
guard
guard
guard
R(c1)
R(c1)
z
6
R(c2)
R(c2)
R(c1)
R(c1)
3
2
R(c1Æc1)
R(c1Æc1)
11
Randomized Equivalence Testing for FCEDs

• Assign hash values to nodes of FCEDs in bottom-up
  manner
• V FCED Node ! Integer
• V(Leaf(n)) n
• V(Leaf(x)) rx
• V(Plus(f1,f2)) V(f1) V(f2)
• V(Choose(f1,f2)) V(f1) V(f2)
• V(Guard(g,f)) H(g)V(f)
• H Guard ! Integer
• H(true) 1, H(false) 0
• H(c) rc
• H(If(c,g1,g2)) rc H(g1) (1-rc) H(g2)

12
Randomized Equivalence Testing for FCEDs

• Completeness
• f1 f2 ) V(f1) V(f2)
• Soundness
• f1 f2 ) PrV(f1) V(f2) s/t
• s maximum of nodes in a FCED
• t size of set from which random values are
  chosen
• Proof 9 1-1 Poly FCED ! Polynomials such that
  V(f) is the value of Poly(f)

13

• FCEDs for Uninterpreted Functions

14
FCED Construction

• FCED(x) Leaf(x)
• FCED(F(e1,e2)) F(FCED(e1), FCED(e2))
• FCED(if b then e1 else e2) Choose(R(b),FCED(e1
  ), NOT R(b), FCED(e2))

15
Randomized Equivalence Testing of FCEDs

• Assign hash values to nodes of FCEDs in bottom-up
  manner
• V FCED Node ! Tuple of k integers
• K depth of any FCED
• V(x) rx,rx
• V(Choose(f1,f2)) V(f1) V(f2)
• V(Guard(g,f)) H(g) V(f)
• V(F(f1,f2)) V(f1) M V(f2) N
• M, N random k k matrices

16
Randomized Equivalence Testing for FCEDs

• Completeness
• f1 f2 ) V(f1) V(f2)
• Soundness
• f1 f2 ) PrV(f1) V(f2)
• s maximum of nodes in a FCED
• t size of set from which random values are
  chosen
• Proof more involved

17
Conclusion and Future Work

• Randomization can help achieve simplicity and
  efficiency at the expense of making soundness
  probabilistic
• Other interesting possible extensions
• Combination of uninterpreted functions with
  arithmetic
• Partially interpreted functions like associative
  functions
• Memory
• Inequalities