Assertion Checking over Combined
Abstraction of Linear Arithmetic and
Uninterpreted Functions
Sumit Gulwani
Microsoft Research, Redmond
Ashish Tiwari
SRI
Precision of combined abstraction
a1 := 0; a2 := 0;
b1 := 1; b2 := F(1);
c1 := 2; c2 := 2;
*
True
False
Assert(a2=2a1);
Assert(b2 = F(b1));
Assert(c2=c1);
a1 := a1+1; a2 := a2+2;
b1 := F(b1); b2 := F(b2);
c1 := F(2c1-c2); c2 := F(c2);
•Analysis over abstractions of linear
arithmetic & uninterpreted functions can
verify first and second assertions resp.
•Third assertion can be verified only over
the combined abstraction.
1 /17
Abstract Program Model / Problem Statement
y := e
Assignment
y := ?
Non-deterministic
Assignment
True
*
False
Non-deterministic
Conditional
Assert(e1=e2)
Assertion
Linear Arithmetic
e = y | c | e1 § e2 | c e
Uninterpreted Functions
e = y | F(e1,e2)
Combination
e = y | c | e1 § e2 | c e | F(e1,e2)
2 /17
Earlier Results
Abstraction
Linear
Arithmetic
Assertion Checking
Complexity
O(n2)
Gulwani-Necula
(POPL ‘03)
Decision Procedure
Complexity
O(n3)
Gaussian Elimination
Uninterpreted O(n4)
Functions
Gulwani-Necula
(POPL ’04)
O(n log n)
Congruence Closure
Combination
O(n4)
Nelson-Oppen Comb
coNP-hard!
This paper
3 /17
Outline
Connection between assertion checking and unification
•
coNP-hardness
•
Algorithm
•
Remarks
4 /17
Unification Terminology
• A substitution  is a (acyclic) mapping of some
variables to expressions.
• A substitution 1 is more general than 2 if there
exists  such that 1 = (2).
• A substitution  is a unifier for an equality e1=e2 if
e1[y/(y)] = e2[y/(y)].
Example
Consider the equality F(y) = F(a) + F(b) – F(a+b-y).
{ y à a } is a unifier for it and so is { y à 1, a à 1 }. The
former unifier is more general than the latter.
5 /17
Unification Terminology Continued …
• A set of unifiers {1,…,k} for e1=e2 is complete if for all
unifiers  of e1=e2, 9 i s.t. i is more general than .
i=1
Let Unif(e1=e2) =
Çk Æy y =  (y)
i
Example
Consider the equality F(y) = F(a) + F(b) – F(a+b-y).
{ {y à a}, {y à b} } is a complete set of unifiers for it.
Hence, Unif(F(y) = F(a)+F(b)-F(a+b-y)) = (y=a Ç y=b).
6 /17
Connection between Assertion Checking & Unification
An assertion e1 = e2 holds at a program point  iff
the assertion Unif(e1=e2) holds at .
Example
To prove, F(y) = F(a) + F(b) – F(a+b-y), you need to prove
that y=a Ç y=b is true.
7 /17
Outline
•
Connection between assertion checking and unification
coNP-hardness
•
Algorithm
•
Remarks
8 /17
Reducing Unsatisfiability to Assertion Checking
: boolean 3-SAT instance with m clauses
IsUnsatisfiable() {
for j=1 to m
cj := 0;
for i=1 to k do
if (*)
8 j s.t. var i occurs positively in clause j, cj := 1;
else
8 j s.t. var i occurs negatively in clause j, cj := 1;
y = c1 + c2 + … + cm;
Assert (y=0 Ç y=1 … Ç y=m-1);
}
9 /17
Encoding disjunction
• The check y=1 Ç y=2 can be encoded by the assertion
F(y) = F(1)+F(2)-F(3-y)).
• The above trick can be recursively applied to construct
an assertion that encodes y=0 Ç y=1 Ç … Ç y=m-1
– Eg., y=0 Ç y=1 Ç y=2 can be encoded by encoding
F(y)=F(0) Ç F(y)=F(1)+F(2)-F(3-y)
10 /17
Outline
•
Connection between assertion checking and unification
•
coNP-hardnes
Algorithm
•
Remarks
11 /17
Assertion Checking Algorithm
• Backward Analysis
– Perform weakest precondition computation.
– At each step replace the formula  by Unif(),
which is a stronger and simpler formula.
• Termination (reach fixpoint across loops)?
– Yes, because of unifier computations.
– This result is interesting because forward analysis
(which attempts to infer invariants) does not
terminate, as lattice has infinite height.
12 /17
Proof of Termination
• At each program point, the proof obligation has the form:
i=1
Çk Æy y =  (y)
i
• In each successive loop iteration, above formula becomes
stronger. We prove this cannot happen indefinitely:
– Assign the following measure to the above formula
{ # of conjuncts representing unifier i | i=1 to k }
– Show this measure decreases in some well-founded ordering.
13 /17
Outline
•
Connection between assertion checking and unification
•
coNP-hardnes
•
Algorithm
Remarks
14 /17
Further Connections between Assertion Checking & Unification
Can we explain the complexity results more naturally?
Answer
Complexity of assertion checking appears to depend on
the cardinality of complete set of unifiers for
equalities in the corresponding abstraction.
Abstraction
Linear
Arithmetic
Uninterpreted
Functions
Combination
Cardinality
Unitary
Complexity
PTime
Unitary
PTime
Finitary
coNP-hard,
but decidable
15 /17
Related work on combining abstract interpreters
Is there an efficient analysis to reason about most assertions?
Answer
(PLDI 06): Given abstract interpreters for
• Lattice L1 (eg, linear equalities, Gulwani-Necula POPL 03)
• Lattice L2 (eg, uninterpreted funs, Gulwani-Necula POPL 04)
Can obtain abstract interpreter for logical product of L1 & L2.
Cons:
• Cannot reason about all assertions.
Pros:
• Polynomial time.
• Can reason about conditionals.
16 /17
Conclusion
• Assertion checking for combination of linear
arithmetic and uninterpreted functions is:
– coNP-hard.
– but decidable.
• We prove these (surprising!) results by establishing
connections between assertion checking & unification.
• These results motivate logical product combination of
lattices, which entail slightly imprecise, but efficient
& automated reasoning (PLDI 06).
17 /17