1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.
-
Upload
belinda-sims -
Category
Documents
-
view
216 -
download
1
Transcript of 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.
![Page 1: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/1.jpg)
1
Cover Algorithms and Their Combination
Sumit Gulwani, Madan MusuvathiMicrosoft Research, Redmond
![Page 2: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/2.jpg)
2
Cover Definition
Cover operation is useful for simplifying a formula by discarding facts related to a set of variables
Given A quantifier-free formula in theory T A set of symbols V
Cover(, V) is The most-precise quantifier-free formula implied by
that does not involve V e.g. Cover(y=f(a+v)–f(b+v), {v}) : (a=b) ) y=0
![Page 3: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/3.jpg)
3
Cover vs. Quantifier Elimination
Quantifier Elimination: Given a quantified formula, output a logically equivalent quantifier-free formula
9V ´ CoverT(,V) if T admits quantifier elimination
Some theories do not: theory of uninterpreted functions Example: f(y) = 0 Cannot say “0 is in the range of f” without using
quantifiers
Cover(,V) is the most-precise quantifier-free approximation to 9V
![Page 4: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/4.jpg)
4
Applications
Strongest post-condition Useful for abstract interpretation on logical formulas Existential quantification of dead variables SP(, x := e) = 9 x’ ([x’/x] Æ x = e[x’/x])
Image computation Useful for reachability analysis in symbolic model
checking Existential quantification of old state variables Ri+1(S) = 9S’(Ri[S’/S] Æ T(S’,S)) Ç Ri(S)
![Page 5: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/5.jpg)
5
Applications
Procedure summaries Existential quantification of local variables Useful for interprocedural analysis
Interpolants Suppose A ) B. Then I is the Interpolant(A,B) if
A ) I ) B I only contains variables common to A and B
Cover(A, VA) is most precise Interpolant(A,B) :Cover(:B, VB) is least precise Interpolant(A,B)
![Page 6: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/6.jpg)
6
Outline
Symbolic model checking using Cover
Cover algorithm for uninterpreted functions
Cover algorithm for the combination of uninterpreted functions and linear arithmetic
![Page 7: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/7.jpg)
Symbolic Model Checking Algorithm
I(S) : initial states, E(S) : error states T(S’,S) : transition from old state S’ to new state S R(S): reachable states
R0(S) = I(S)
Ri+1(S) = 9S’(Ri[S’/S] Æ T(S’,S)) Ç Ri(S)
Error found if Rn+1(S) Æ E(S) is satisfiable
7
![Page 8: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/8.jpg)
Symbolic Model Checking Using Cover
I(S) : initial states, E(S) : error states T(S’,S) : transition from old state S’ to new state S R(S): reachable states
R0(S) = I(S)
Ri+1(S) = Cover(Ri[S’/S] Æ T(S’,S), S’) Ç Ri(S)
8
![Page 9: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/9.jpg)
Symbolic Model Checking Using Cover
I(S) : initial states, E(S) : error states T(S’,S) : transition from old state S’ to new state S R(S): reachable states
R0(S) = I(S)
Ri+1(S) = Cover(Ri[S’/S] Æ T(S’,S), S’) Ç Ri(S)
This algorithm can find false errors As Cover over-approximates the set of reachable
states
9
![Page 10: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/10.jpg)
Symbolic Model Checking Using Cover
I(S) : initial states, E(S) : error states T(S’,S) : transition from old state S’ to new state S R(S): reachable states
R0(S) = I(S)
Ri+1(S) = Cover(Ri[S’/S] Æ T(S’,S), S’) Ç Ri(S)
Theorem: If the transition system is described using quantifier-free formulas, symbolic model checking using cover is sound and precise
10
![Page 11: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/11.jpg)
11
Outline
Symbolic model checking using Cover
Cover algorithm for uninterpreted functions
Cover algorithm for the combination of uninterpreted functions and linear arithmetic
![Page 12: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/12.jpg)
12
Cover Algorithm for Unary Uninterpreted Functions
Cover(, V) = Erase V from congruence closure of
Example: Let be x=f(v1) Æ y=f(v2) Æ v1 = v2
Cover(, {v1,v2}) is x=y
v1
f
v2
fyx
![Page 13: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/13.jpg)
13
Cover Algorithm for Binary Uninterpreted Functions
The erasure technique does not work Let be x=f(a,v) Æ y=f(b,v) Erasure(, {v}) is true Cover(, {v}) is a=b ) x=y
Cover(, V) is: For all partitions E of congruence classes in
E ) Erasure( Æ E, V)
![Page 14: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/14.jpg)
14
Example
x1
b1
f
v
x2
b2
f
v
a1 v
y
f
f
f
a2 v
y
x1
f
x1
a1 = b1 Æ a2 = b1 )
y
x1
f
x2
a1 = b1 Æ a2 = b2 )
x2 x2
y
x2
f
x1
a1 = b2 Æ a2 = b1 )
y fa1 = b2 Æ a2 = b2 )
Cover(,{v})
Cover(, {v}) can be exponential in
![Page 15: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/15.jpg)
15
Outline
Cover algorithm for linear arithmetic
Cover algorithm for uninterpreted functions
Cover algorithm for combination of theories
![Page 16: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/16.jpg)
16
Combining Cover Algorithms: Idea 1
CoverT1 [ T2(1Æ2, V):
Return CoverT1(1,V) Æ CoverT2
(2,V)
Fails on x=v1+1 Æ y=v2+1 Æ v1=f(z) Æ v2=f(z)
Algorithm returns trueCover is x=y
Solution: Share variable equalities
![Page 17: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/17.jpg)
17
Combining Cover Algorithms: Idea 2
CoverT1 [ T2(1Æ2, V):
E Ã Saturate(1,2)
Return CoverT1(1ÆE,V) Æ CoverT2
(2ÆE,V)
Fails on v=x+1 Æ y=f(v) Algorithm returns trueCover is y=f(x+1)
Solution: Share equalities between variables and “simple” terms
![Page 18: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/18.jpg)
18
Combining Cover Algorithms: Idea 3
CoverT1 [ T2(1Æ2, V):
E Ã Saturate(1,2)
Return CoverT1(1ÆE,V) Æ CoverT2
(2ÆE,V)
Fails on x·v Æ v·y Æ v=f(z,v)Algorithm returns x·yCover is x·y Æ (x=y ) x=f(z,x))
Solution: Share conditional equalities
![Page 19: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/19.jpg)
19
Example
Cover(y=f(a+v)–f(b+v), {v})
v1 = a+v
v2 = b+v
y = v3-v4
v3 = f(v1)
v4 = f(v2)
a=b ) v1=v2
a=b ) v3=v4
a=b ) y=0 true
![Page 20: 1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc55503460f9498e2aa/html5/thumbnails/20.jpg)
20
Conclusion
Cover is the most-precise quantifier-free approximation to quantifier elimination
Cover algorithm for uninterpreted functions
Cover algorithm for combination of theories Exchange equalities between variables and good terms Exchange conditional equalities