Embed Size (px)
Citation preview
Combining Abstract Interpreters
Sumit GulwaniMicrosoft Research
Redmond, Group
Ashish Tiwari SRI
RAD
Motivation
a1 := a1+1; a2 := a2+2;
b1 := F(b1); b2 := F(b2);c1 := F(2c1-c2); c2 := F(c2);
a1 := 0; a2 := 0;
b1 := 1; b2 := F(1);c1 := 2; c2 := 2;
Assert(a2=2a1);
Assert(b2 = F(b1));Assert(c2=c1);
b1< b2
False
True
•Abstract interpretation over the abstractions of linear arithmetic and uninterpreted functions can verify the first and second assertions respectively.
•Third assertion can be verified only over the combined abstraction.
Outline
Logical product combination of lattices
• Abstract interpreter for logical product lattice– Join operator– Existential quantification operator– Correctness and Complexity
Logical Product of Lattices
• A lattice L consists of a domain DL and partial order ¹L.
• A lattice L is a logical lattice over theory T if– DL = finite conjunctions of atomic facts over T
– E ¹L E’ iff E )T E’
• Let L1 and L2 be logical lattices over T1 and T2 resp. Then logical product of L1 and L2 is L1*L2, where– DL1*L2 = finite conjunctions of atomic facts over T1 [ T2
– E ¹L1*L2 E’ iff E )T1 [ T2 E’
and AlienTerms(E’) µ Terms(E)
Outline
• Logical product combination of lattices
Abstract interpreter for logical product lattice– Join operator– Existential quantification operator– Correctness and Complexity
Abstract Interpreter for L1*L2
Join Node
x := g;
E’
E
Conditional Node
pTrue False
E
E1 E2
Assignment Node
E2
E
E1
E = JoinL1*L2(E1,E2)
We show how to get JoinL1*L2 from JoinL1 and JoinL2.
E1 = MeetL1*L2(E, p)
E2 = E
MeetL1*L2(E,E’) = E Æ E’
E = EQL1*L2(E’’, {x’})
E’’ = E’[x’/x] Æ x=(g[x’/x])
We show how to get EQL1*L2 from EQL1 and EQL2.
Outline
• Logical product combination of lattices
• Abstract interpreter for logical product latticeJoin operator
– Existential quantification operator– Correctness and Complexity
Background: Combining Decision Procedures
a1=2y2-y1
y1 · 4y3 · a2
y1 = y2
y1 = a2
a2=F(a1)
y1=F(y1) Æ y2=F(F(y1))y1 = a1
y1 · 4y3 · F(2y2-y1) Æ y1=F(y1) Æ y2=F(F(y1))
Purification
y1=y
2y1=a
1y1=a
2
y1 = 4y3
Saturation
y1 = 4y3?
This classic algorithm was given by Nelson and Oppen in 1979.
Join Operator
If E = JoinL(E1,E2), then E is the least upper bound of E1 and E2 in lattice L
Examples:
• Joinla(z=0 Æ y=10, z=5 Æ y=5) = z+y=10 Æ 0·z· 5
• Joinuf(z=a Æ y=F(a), z=b Æ y=F(b)) = y=F(z)
• Joinla*uf(z=a-1 Æ y=F(a), z=b-1 Æ y=F(b)) = ?
Join Operator
If E = JoinL(E1,E2), then E is the least upper bound of E1 and E2 in lattice L
Examples:
• Joinla(z=0 Æ y=10, z=5 Æ y=5) = z+y=10 Æ 0·z· 5
• Joinuf(z=a Æ y=F(a), z=b Æ y=F(b)) = y=F(z)
• Joinla*uf(z=a-1 Æ y=F(a), z=b-1 Æ y=F(b)) = y=F(1+z)
We next show how to construct JoinL1*L2 using JoinL1 and JoinL2.
y=F(a)a=ha,bi
z=a-1a=ha,bi
y=F(b)b=ha,bi
z=b-1b=ha,bi
z=a-1 Æ y=F(a)
z=b-1 Æ y=F(b)
ha,bi=1+z
y=F(ha,bi)
JoinlaJoinuf
EQuf*la
y=F(1+z)
{ ha,bi }
Joinuf+l
a
Combining Join Operators
Outline
• Logical product combination of lattices
• Abstract interpreter for logical product lattice– Join operator
Existential quantification operator– Correctness and Complexity
Existential Quantification Operator
If E = EQL(E’,V), then E is the least (i.e., most precise) element in lattice L such that:
• E’ ¹L E
• Vars(E) Å V = ;
Examples:
• EQla(x·a Æ a·y, {a}) = x · y
• EQuf(x=F(a) Æ y=F2(a), {a}) = y=F(x)
• EQla*uf(a·b·y Æ z=c+1 Æ a=F2(b) Æ c=F(b), {a,b,c}) = ?
Existential Quantification Operator
If E = EQL(E’,V), then E is the least (i.e., most precise) element in lattice L such that:
• E’ ¹L E
• Vars(E) Å V = ;
Examples:
• EQla(x·a Æ a·y, {a}) = x · y
• EQuf(x=F(a) Æ y=F2(a), {a}) = y=F(x)
• EQla*uf(a·b·y Æ z=c+1 Æ a=F2(b) Æ c=F(b), {a,b,c}) = F(z-1)·y
We can construct EQL1*L2 using EQL1 and EQL2.
a=F2(b) Æ c=F(b)
a·b·y Æ z=c+1
a·b·y Æ z=c+1 Æ a=F2(b) Æ c=F(b)
{ a, b, c }
{ b }
a · y Æ z=c+1
EQuf
Substitute
F(z-1) · y
c z-1 a F(z-1)
EQuf+la
Combining Existential Quantification Operators
c z-1a F(z-1)
Defla Defuf
EQla
a = F(c)
Outline
• Logical product combination of lattices
• Abstract interpreter for logical product lattice– Join operator– Existential Quantification operator
Correctness and Complexity
Correctness
• Our algorithms for JoinL1*L2 and EQL1*L2 are sound.
• They are complete when the underlying theories T1 and T2 are convex, stably infinite, and disjoint.
• Proof of correctness is non-trivial.
Computational Complexity
• Complexity of JoinL1*L2 and EQL1*L2 is worst-case quadratic in complexity of JoinL1, Join
L2, EQL1, EQL2.
• Steps required for fixed-point computationDL(E) = max # of elements in a chain above E in
lattice L
DL1 £ L2(E) · DL1(E1) + DL2(E2) + |AlienTerms(E)|
where E1 and E2 are purified and saturated components of E.
Conclusion and Future Work
• Defined combination L1*L2 of two lattices L1 and L2.– This logical product is more precise than reduced product.
• Described abstract interpretation operators for L1*L2 in terms of corresponding operators for L1 and L2.– Lends modularity to design & implementation of abstract
interpreters.
Future Work:• Handle non-convex theories (eg. arrays) more precisely. • Handle non-atomic facts involving negation & disjunction.• Perform experiments.
