1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond

2 Cover Definition  Cover operation is useful for simplifying a formula by discarding facts related to a set of variables  Given A quantifier-free formula  in theory T A set of symbols V  Cover(, V) is The most-precise quantifier-free formula implied by  that does not involve V e.g. Cover(y=f(a+v)–f(b+v), {v}) : (a=b) ) y=0

3 Cover vs. Quantifier Elimination  Quantifier Elimination: Given a quantified formula, output a logically equivalent quantifier-free formula  9 V  ´ Cover T (,V) if T admits quantifier elimination  Some theories do not: theory of uninterpreted functions Example: f(y) = 0 Cannot say “0 is in the range of f” without using quantifiers  Cover(,V) is the most-precise quantifier-free approximation to 9 V 

4 Applications  Strongest post-condition Useful for abstract interpretation on logical formulas Existential quantification of dead variables SP(, x := e) = 9 x’ ([x’/x] Æ x = e[x’/x])  Image computation Useful for reachability analysis in symbolic model checking Existential quantification of old state variables R i+1 (S) = 9 S’(R i [S’/S] Æ T(S’,S)) Ç R i (S)

5 Applications  Procedure summaries Existential quantification of local variables Useful for interprocedural analysis  Interpolants Suppose A ) B. Then I is the Interpolant(A,B) if  A ) I ) B  I only contains variables common to A and B Cover(A, V A ) is most precise Interpolant(A,B) : Cover( : B, V B ) is least precise Interpolant(A,B)

6 Outline  Symbolic model checking using Cover  Cover algorithm for uninterpreted functions  Cover algorithm for the combination of uninterpreted functions and linear arithmetic

Symbolic Model Checking Algorithm  I(S) : initial states, E(S) : error states  T(S’,S) : transition from old state S’ to new state S  R(S): reachable states R 0 (S) = I(S) R i+1 (S) = 9 S’(R i [S’/S] Æ T(S’,S)) Ç R i (S)  Error found if R n+1 (S) Æ E(S) is satisfiable 7

Symbolic Model Checking Using Cover  I(S) : initial states, E(S) : error states  T(S’,S) : transition from old state S’ to new state S  R(S): reachable states R 0 (S) = I(S) R i+1 (S) = Cover(R i [S’/S] Æ T(S’,S), S’) Ç R i (S) 8

Symbolic Model Checking Using Cover  I(S) : initial states, E(S) : error states  T(S’,S) : transition from old state S’ to new state S  R(S): reachable states R 0 (S) = I(S) R i+1 (S) = Cover(R i [S’/S] Æ T(S’,S), S’) Ç R i (S)  This algorithm can find false errors As Cover over-approximates the set of reachable states 9

Symbolic Model Checking Using Cover  I(S) : initial states, E(S) : error states  T(S’,S) : transition from old state S’ to new state S  R(S): reachable states R 0 (S) = I(S) R i+1 (S) = Cover(R i [S’/S] Æ T(S’,S), S’) Ç R i (S)  Theorem: If the transition system is described using quantifier-free formulas, symbolic model checking using cover is sound and precise 10

11 Outline  Symbolic model checking using Cover  Cover algorithm for uninterpreted functions  Cover algorithm for the combination of uninterpreted functions and linear arithmetic

12 Cover Algorithm for Unary Uninterpreted Functions  Cover(, V) = Erase V from congruence closure of   Example: Let  be x=f(v 1 ) Æ y=f(v 2 ) Æ v 1 = v 2 Cover(, {v 1,v 2 }) is x=y v1v1 f v2v2 f y x

13 Cover Algorithm for Binary Uninterpreted Functions  The erasure technique does not work Let  be x=f(a,v) Æ y=f(b,v) Erasure(, {v}) is true Cover(, {v}) is a=b ) x=y  Cover(, V) is: For all partitions E of congruence classes in  E ) Erasure( Æ E, V)

14 Example x1x1 b1b1 f v x2x2 b2b2 f v a1a1 v y f f f a2a2 v y x1x1 f x1x1 a 1 = b 1 Æ a 2 = b 1 ) y x1x1 f x2x2 a 1 = b 1 Æ a 2 = b 2 ) x2x2 x2x2 y x2x2 f x1x1 a 1 = b 2 Æ a 2 = b 1 ) y fa 1 = b 2 Æ a 2 = b 2 )  Cover(,{v}) Cover(, {v}) can be exponential in 

15 Outline  Cover algorithm for linear arithmetic  Cover algorithm for uninterpreted functions  Cover algorithm for combination of theories

16 Combining Cover Algorithms: Idea 1 Cover T 1 [ T 2 ( 1 Æ  2, V): Return Cover T 1 ( 1,V) Æ Cover T 2 ( 2,V) Fails on x=v 1 +1 Æ y=v 2 +1 Æ v 1 =f(z) Æ v 2 =f(z) Algorithm returns true Cover is x=y Solution: Share variable equalities

17 Combining Cover Algorithms: Idea 2 Cover T 1 [ T 2 ( 1 Æ  2, V): E Ã Saturate( 1, 2 ) Return Cover T 1 ( 1 Æ E,V) Æ Cover T 2 ( 2 Æ E,V) Fails on v=x+1 Æ y=f(v) Algorithm returns true Cover is y=f(x+1) Solution: Share equalities between variables and “simple” terms

18 Combining Cover Algorithms: Idea 3 Cover T 1 [ T 2 ( 1 Æ  2, V): E Ã Saturate( 1, 2 ) Return Cover T 1 ( 1 Æ E,V) Æ Cover T 2 ( 2 Æ E,V) Fails on x · v Æ v · y Æ v=f(z,v) Algorithm returns x · y Cover is x · y Æ (x=y ) x=f(z,x)) Solution: Share conditional equalities

19 Example Cover(y=f(a+v)–f(b+v), {v}) v 1 = a+v v 2 = b+v y = v 3 -v 4 v 3 = f(v 1 ) v 4 = f(v 2 ) a=b ) v 1 =v 2 a=b ) v 3 =v 4 a=b ) y=0 true

20 Conclusion  Cover is the most-precise quantifier-free approximation to quantifier elimination  Cover algorithm for uninterpreted functions  Cover algorithm for combination of theories Exchange equalities between variables and good terms Exchange conditional equalities