190 likes | 302 Views
Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions. Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI. Precision of combined abstraction. a 1 := 0; a 2 := 0; b 1 := 1; b 2 := F(1); c 1 := 2; c 2 := 2;.
E N D
Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI
Precision of combined abstraction a1 := 0; a2 := 0; b1 := 1; b2 := F(1); c1 := 2; c2 := 2; a1 := a1+1; a2 := a2+2; b1 := F(b1); b2 := F(b2); c1 := F(2c1-c2); c2 := F(c2); True * False • Analysis over abstractions of linear arithmetic & uninterpreted functions can verify first and second assertions resp. • Third assertion can be verified only over the combined abstraction. Assert(a2=2a1); Assert(b2 = F(b1)); Assert(c2=c1); /17
Assert(e1=e2) y := ? * y := e False True Assertion Non-deterministic Assignment Non-deterministic Conditional Assignment Abstract Program Model / Problem Statement Linear Arithmetic e = y | c | e1§ e2 | c e Uninterpreted Functions e = y | F(e1,e2) Combination e = y | c | e1§ e2 | c e | F(e1,e2) /17
Earlier Results coNP-hard! This paper /17
Outline • Connection between assertion checking and unification • coNP-hardness • Algorithm • Remarks /17
Unification Terminology • A substitution is a (acyclic) mapping of some variables to expressions. • A substitution 1 is more general than2 if there exists such that 1 = (2). • A substitution is a unifier for an equality e1=e2 if e1[y/(y)] = e2[y/(y)]. Example Consider the equality F(y) = F(a) + F(b) – F(a+b-y). { y à a } is a unifier for it and so is { y à 1, a à 1 }. The former unifier is more general than the latter. /17
i=1 Let Unif(e1=e2) = ÇÆ y = i(y) y k Unification Terminology Continued … • A set of unifiers {1,…,k} for e1=e2 is complete if for all unifiers of e1=e2, 9 i s.t. i is more general than . Example Consider the equality F(y) = F(a) + F(b) – F(a+b-y). { {y à a}, {y à b} } is a complete set of unifiers for it. Hence, Unif(F(y) = F(a)+F(b)-F(a+b-y)) = (y=a Ç y=b). /17
Connection between Assertion Checking & Unification An assertion e1 = e2 holds at a program point iff the assertion Unif(e1=e2) holds at . Example To prove, F(y) = F(a) + F(b) – F(a+b-y), you need to prove that y=a Ç y=b is true. /17
Outline • Connection between assertion checking and unification • coNP-hardness • Algorithm • Remarks /17
Reducing Unsatisfiability to Assertion Checking : boolean 3-SAT instance with m clauses IsUnsatisfiable() { for j=1 to m cj := 0; for i=1 to k do if (*) 8 j s.t. var i occurs positively in clause j, cj := 1; else 8 j s.t. var i occurs negatively in clause j, cj := 1; y = c1 + c2 + … + cm; Assert (y=0 Ç y=1 … Ç y=m-1); } /17
Encoding disjunction • The check y=1Çy=2 can be encoded by the assertion F(y) = F(1)+F(2)-F(3-y)). • The above trick can be recursively applied to construct an assertion that encodes y=0 Ç y=1 Ç … Ç y=m-1 • Eg., y=0 Ç y=1 Ç y=2 can be encoded by encoding F(y)=F(0)ÇF(y)=F(1)+F(2)-F(3-y) /17
Outline • Connection between assertion checking and unification • coNP-hardnes • Algorithm • Remarks /17
Assertion Checking Algorithm • Backward Analysis • Perform weakest precondition computation. • At each step replace the formula by Unif(), which is a stronger and simpler formula. • Termination (reach fixpoint across loops)? • Yes, because of unifier computations. • This result is interesting because forward analysis (which attempts to infer invariants) does not terminate, as lattice has infinite height. /17
Proof of Termination • At each program point, the proof obligation has the form: i=1 ÇÆ y = i(y) y k • In each successive loop iteration, above formula becomes stronger. We prove this cannot happen indefinitely: • Assign the following measure to the above formula { # of conjuncts representing unifier i | i=1 to k } • Show this measure decreases in some well-founded ordering. /17
Outline • Connection between assertion checking and unification • coNP-hardnes • Algorithm • Remarks /17
Further Connections between Assertion Checking & Unification Can we explain the complexity results more naturally? Answer Complexity of assertion checking appears to depend on the cardinality of complete set of unifiers for equalities in the corresponding abstraction. /17
Related work on combining abstract interpreters Is there an efficient analysis to reason about most assertions? Answer (PLDI 06): Given abstract interpreters for • Lattice L1 (eg, linear equalities, Gulwani-Necula POPL 03) • Lattice L2 (eg, uninterpreted funs, Gulwani-Necula POPL 04) Can obtain abstract interpreter for logical product of L1 & L2. Cons: • Cannot reason about all assertions. Pros: • Polynomial time. • Can reason about conditionals. /17
Conclusion • Assertion checking for combination of linear arithmetic and uninterpreted functions is: • coNP-hard. • but decidable. • We prove these (surprising!) results by establishing connections between assertion checking & unification. • These results motivate logical product combination of lattices, which entail slightly imprecise, but efficient & automated reasoning (PLDI 06). /17