Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD
Motivation a 1 := a 1 +1; a 2 := a 2 +2; b 1 := F(b 1 ); b 2 := F(b 2 ); c 1 := F(2c 1 -c 2 ); c 2 := F(c 2 ); a 1 := 0; a 2 := 0; b 1 := 1; b 2 := F(1); c 1 := 2; c 2 := 2; Assert(a 2 =2a 1 ); Assert(b 2 = F(b 1 )); Assert(c 2 =c 1 ); b 1 < b 2 False True Abstract interpretation over the abstractions of linear arithmetic and uninterpreted functions can verify the first and second assertions respectively. Third assertion can be verified only over the combined abstraction.
Outline Logical product combination of lattices Abstract interpreter for logical product lattice –Join operator –Existential quantification operator –Correctness and Complexity
Logical Product of Lattices A lattice L consists of a domain D L and partial order ¹ L. A lattice L is a logical lattice over theory T if –D L = finite conjunctions of atomic facts over T – E ¹ L E iff E ) T E Let L1 and L2 be logical lattices over T1 and T2 resp. Then logical product of L1 and L2 is L1*L2, where –D L1*L2 = finite conjunctions of atomic facts over T1 [ T2 –E ¹ L1*L2 E iff E ) T1 [ T2 E and AlienTerms(E) µ Terms(E)
Outline Logical product combination of lattices Abstract interpreter for logical product lattice –Join operator –Existential quantification operator –Correctness and Complexity
Abstract Interpreter for L1*L2 Join Node x := g; E E Conditional Node p True False E E1E1 E2E2 Assignment Node E2E2 E E1E1 E = Join L1*L2 (E 1,E 2 ) We show how to get Join L1*L2 from Join L1 and Join L2. E 1 = Meet L1*L2 (E, p) E 2 = E Meet L1*L2 (E,E) = E Æ E E = EQ L1*L2 (E, {x}) E = E[x/x] Æ x=(g[x/x]) We show how to get EQ L1*L2 from EQ L1 and EQ L2.
Outline Logical product combination of lattices Abstract interpreter for logical product lattice Join operator –Existential quantification operator –Correctness and Complexity
Background: Combining Decision Procedures a 1 =2y 2 -y 1 y 1 · 4y 3 · a 2 y 1 = y 2 y 1 = a 2 a 2 =F(a 1 ) y 1 =F(y 1 ) Æ y 2 =F(F(y 1 )) y 1 = a 1 y 1 · 4y 3 · F(2y 2 -y 1 ) Æ y 1 =F(y 1 ) Æ y 2 =F(F(y 1 )) Purification y 1 =y 2 y 1 =a 1 y 1 =a 2 y 1 = 4y 3 Saturation y 1 = 4y 3 ? This classic algorithm was given by Nelson and Oppen in 1979.
Join Operator If E = Join L (E 1,E 2 ), then E is the least upper bound of E 1 and E 2 in lattice L Examples: Join la (z=0 Æ y=10, z=5 Æ y=5) = z+y=10 Æ 0 · z · 5 Join uf (z=a Æ y=F(a), z=b Æ y=F(b)) = y=F(z) Join la*uf (z=a-1 Æ y=F(a), z=b-1 Æ y=F(b)) = ?
Join Operator If E = Join L (E 1,E 2 ), then E is the least upper bound of E 1 and E 2 in lattice L Examples: Join la (z=0 Æ y=10, z=5 Æ y=5) = z+y=10 Æ 0 · z · 5 Join uf (z=a Æ y=F(a), z=b Æ y=F(b)) = y=F(z) Join la*uf (z=a-1 Æ y=F(a), z=b-1 Æ y=F(b)) = y=F(1+z) We next show how to construct Join L1*L2 using Join L1 and Join L2.
y=F(a) a= h a,b i z=a-1 a= h a,b i y=F(b) b= h a,b i z=b-1 b= h a,b i z=a-1 Æ y=F(a) z=b-1 Æ y=F(b) h a,b i =1+z y=F( h a,b i ) Join la Join uf EQ uf*la y=F(1+z) { h a,b i } Join uf+la Combining Join Operators
Outline Logical product combination of lattices Abstract interpreter for logical product lattice –Join operator Existential quantification operator –Correctness and Complexity
Existential Quantification Operator If E = EQ L (E,V), then E is the least (i.e., most precise) element in lattice L such that: E ¹ L E Vars(E) Å V = ; Examples: EQ la (x · a Æ a · y, {a}) = x · y EQ uf (x=F(a) Æ y=F 2 (a), {a}) = y=F(x) EQ la*uf (a · b · y Æ z=c+1 Æ a=F 2 (b) Æ c=F(b), {a,b,c}) = ?
Existential Quantification Operator If E = EQ L (E,V), then E is the least (i.e., most precise) element in lattice L such that: E ¹ L E Vars(E) Å V = ; Examples: EQ la (x · a Æ a · y, {a}) = x · y EQ uf (x=F(a) Æ y=F 2 (a), {a}) = y=F(x) EQ la*uf (a · b · y Æ z=c+1 Æ a=F 2 (b) Æ c=F(b), {a,b,c}) = F(z-1) · y We can construct EQ L1*L2 using EQ L1 and EQ L2.
a=F 2 (b) Æ c=F(b) a · b · y Æ z=c+1 a · b · y Æ z=c+1 Æ a=F 2 (b) Æ c=F(b) { a, b, c } { b } a · y Æ z=c+1 EQ uf Substitute F(z-1) · y c z-1 a F(z-1) EQ uf+la Combining Existential Quantification Operators c z-1 a F(z-1) Def la Def uf EQ la a = F(c)
Outline Logical product combination of lattices Abstract interpreter for logical product lattice –Join operator –Existential Quantification operator Correctness and Complexity
Correctness Our algorithms for Join L1*L2 and EQ L1*L2 are sound. They are complete when the underlying theories T1 and T2 are convex, stably infinite, and disjoint. Proof of correctness is non-trivial.
Computational Complexity Complexity of Join L1*L2 and EQ L1*L2 is worst-case quadratic in complexity of Join L1, Join L2, EQ L1, EQ L2. Steps required for fixed-point computation D L (E) = max # of elements in a chain above E in lattice L D L1 £ L2 (E) · D L1 (E 1 ) + D L2 (E 2 ) + |AlienTerms(E)| where E 1 and E 2 are purified and saturated components of E.
Conclusion and Future Work Defined combination L1*L2 of two lattices L1 and L2. –This logical product is more precise than reduced product. Described abstract interpretation operators for L1*L2 in terms of corresponding operators for L1 and L2. –Lends modularity to design & implementation of abstract interpreters. Future Work: Handle non-convex theories (eg. arrays) more precisely. Handle non-atomic facts involving negation & disjunction. Perform experiments.