200 likes | 415 Views
Cover Algorithms and Their Combination. Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond. Cover Definition. Cover operation is useful for simplifying a formula by discarding facts related to a set of variables Given A quantifier-free formula in theory T A set of symbols V
E N D
Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond
Cover Definition • Cover operation is useful for simplifying a formula by discarding facts related to a set of variables • Given • A quantifier-free formula in theory T • A set of symbols V • Cover(, V) is • The most-precise quantifier-free formula implied by that does not involve V • e.g. Cover(y=f(a+v)–f(b+v), {v}) : (a=b) ) y=0
Cover vs. Quantifier Elimination • Quantifier Elimination: Given a quantified formula, output a logically equivalent quantifier-free formula • 9V ´CoverT(,V) if T admits quantifier elimination • Some theories do not: theory of uninterpreted functions • Example: f(y) = 0 • Cannot say “0 is in the domain of y” without using quantifiers • Cover(,V) is the most-precise quantifier-free approximation to 9V
Applications • Strongest post-condition • Useful for abstract interpretation on logical formulas • Existential quantification of dead variables • SP(, x := e) = 9 x’ ([x’/x] Æ x = e[x’/x]) • Image computation • Useful for reachability analysis in symbolic model checking • Existential quantification of old state variables • Ri+1(S) = 9S’(Ri[S’/S] Æ T(S’,S)) Ç Ri(S)
Applications • Procedure summaries • Existential quantification of local variables • Useful for interprocedural analysis • Interpolants • Suppose A ) B. Then I is the Interpolant(A,B) if • A ) I ) B • I only contains variables common to A and B • Cover(A, VA) is most precise Interpolant(A,B) • :Cover(:B, VB) is least precise Interpolant(A,B)
Outline • Symbolic model checking using Cover • Cover algorithm for uninterpreted functions • Cover algorithm for the combination of uninterpreted functions and linear arithmetic
Symbolic Model Checking Algorithm • I(S) : initial states, E(S) : error states • T(S’,S) : transition from old state S’ to new state S • R(S): reachable states • R0(S) = I(S) • Ri+1(S) = 9S’(Ri[S’/S] Æ T(S’,S)) ÇRi(S) • Error found if Rn+1(S) Æ E(S) is satisfiable
Symbolic Model Checking Using Cover • I(S) : initial states, E(S) : error states • T(S’,S) : transition from old state S’ to new state S • R(S): reachable states • R0(S) = I(S) • Ri+1(S) = Cover(Ri[S’/S] Æ T(S’,S), S’) ÇRi(S)
Symbolic Model Checking Using Cover • I(S) : initial states, E(S) : error states • T(S’,S) : transition from old state S’ to new state S • R(S): reachable states • R0(S) = I(S) • Ri+1(S) = Cover(Ri[S’/S] Æ T(S’,S), S’) ÇRi(S) • This algorithm can find false errors • As Cover over-approximates the set of reachable states
Symbolic Model Checking Using Cover • I(S) : initial states, E(S) : error states • T(S’,S) : transition from old state S’ to new state S • R(S): reachable states • R0(S) = I(S) • Ri+1(S) = Cover(Ri[S’/S] Æ T(S’,S), S’) ÇRi(S) • Theorem: If the transition system is described using quantifier-free formulas, symbolic model checking using cover is sound and precise
Outline • Symbolic model checking using Cover • Cover algorithm for uninterpreted functions • Cover algorithm for the combination of uninterpreted functions and linear arithmetic
Cover Algorithm for Unary Uninterpreted Functions • Cover(, V) = Erase V from congruence closure of • Example: Let be x=f(v1) Æ y=f(v2) Æ v1 = v2 Cover(, {v1,v2}) is x=y f x f y v2 v1
Cover Algorithm for Binary Uninterpreted Functions • The erasure technique does not work • Let be x=f(a,v) Æ y=f(b,v) • Erasure(, {v}) is true • Cover(, {v}) is a=b ) x=y • Cover(, V) is: For all partitions E of congruence classes in E ) Erasure(Æ E, V)
a1 = b1Æ a2 = b1 ) y f a1 = b1Æ a2 = b2 ) y f x1 x1 y f x1 x2 y a1 = b2Æ a2 = b1 ) f f f x1 f x2 x1 a2 v a1 v y b1 a1 = b2Æ a2 = b2 ) f v x2 x2 x2 f b2 v Example Cover(, {v}) can be exponential in Cover(,{v})
Outline • Cover algorithm for linear arithmetic • Cover algorithm for uninterpreted functions • Cover algorithm for combination of theories
Combining Cover Algorithms: Idea 1 CoverT1[ T2(1Æ2, V): Return CoverT1(1,V) Æ CoverT2(2,V) Fails on x=v1+1 Æ y=v2+1Æv1=f(z) Æ v2=f(z) Algorithm returns true Cover is x=y Solution: Share variable equalities
Combining Cover Algorithms: Idea 2 CoverT1[ T2(1Æ2, V): E Ã Saturate(1,2) Return CoverT1(1ÆE,V) Æ CoverT2(2ÆE,V) Fails on v=x+1Æy=f(v) Algorithm returns true Cover is y=f(x+1) Solution: Share equalities between variables and “simple”terms
Combining Cover Algorithms: Idea 3 CoverT1[ T2(1Æ2, V): E Ã Saturate(1,2) Return CoverT1(1ÆE,V) Æ CoverT2(2ÆE,V) Fails on x·v Æ v·yÆv=f(z,v) Algorithm returns x·y Cover is x·y Æ (x=y ) x=f(z,x)) Solution: Share conditional equalities
Example Cover(y=f(a+v)–f(b+v), {v}) a=b ) v1=v2 v3 = f(v1) v4 = f(v2) v1 = a+v v2 = b+v y = v3-v4 a=b ) v3=v4 true a=b ) y=0
Conclusion • Cover is the most-precise quantifier-free approximation to quantifier elimination • Cover algorithm for uninterpreted functions • Cover algorithm for combination of theories • Exchange equalities between variables and good terms • Exchange conditional equalities