Presentation is loading. Please wait.

Presentation is loading. Please wait.

TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A Sumit Gulwani (Microsoft Research, Redmond, USA) Symbolic Bound Computation.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A Sumit Gulwani (Microsoft Research, Redmond, USA) Symbolic Bound Computation."— Presentation transcript:

1 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A Sumit Gulwani (Microsoft Research, Redmond, USA) Symbolic Bound Computation Art of Invariant Generation applied to Oregon Summer School July 2009 Part 3

2 1.Program Transformations –Reduce need for sophisticated invariant generation. –E.g., control-flow refinement, loop-flattening/peeling, non-standard cut-points, quantitative attributes instrumentation. 2.Colorful Logic –Language of Invariants –E.g., arithmetic, uninterpreted fns, lists/arrays 3.Fixpoint Brush –Automatic generation of invariants in some shade of logic, e.g., conjunctive/k-disjunctive/predicate abstraction. –E.g., Iterative, Constraint-based, Proof Rules 1 Art of Invariant Generation

3 Control-flow Refinement –Reduces need for disjunctive/non-linear invariants. Quantitative Attributes Instrumentation –Reduces need for invariants that refer to numerical heap properties. Loop Flattening/Peeling –Reduces need for disjunctive invariants. Non-standard choice of cut-points –Reduces need for disjunctive invariants. 2 Program Transformations

4 Control-flow Refinement –Control-Flow Refinement and Progress Invariants for Bound Analysis; Gulwani, Jain, Koskinen; PLDI ‘09 Quantitative Attributes Instrumentation –SPEED: Precise and Efficient Static Estimation of Program Computational Complexity; Gulwani, Mehra, Chilimbi; POPL ’09 Non-standard choice of cut-points –Program Analysis as Constraint Solving; Gulwani, Srivastava, Venkatesan; PLDI ‘08 3 Program Transformations: References

5  Control-flow Refinement Quantitative Attributes Instrumentation 4 Program Transformations

6 Control-flow Refinement: Transform a loop with multiple paths into code-fragment with simpler loops. For above example, (P1 | P2)* reduces to P1 + P2 P1 +. This implies a bound of (m-n)+(1)+(n) = m+1 5 Example: Loop with multiple phases x’ := n+1; while (*) P1: assume(x  n Æ x · m); x’:=x+1; P2: assume(x  n Æ x>m); x’:=0; Inputs: int n, m Assume(0<n<m) x := n+1; while (x  n) if (x · m) x++; else x := 0; x’ := n+1; while (*) {assume(x  n Æ x · m); x’:=x+1;} assume(x  n Æ x>m); x’:=0; while (*) {assume(x  n Æ x · m); x’:=x+1;} Transition System Representation Control Flow Refinement

7 Recall algebraic equivalence: (P1|P2)* = Skip | (P1|P2) (P1|P2)* –Used by iteration based tools to compute fixed-points. Now consider a different algebraic equivalence: (P1|P2)* = Skip | P1 + | P2 + | P1 + P2 (P1|P2)* | P2 + P1 (P1|P2)* –Here the focus is on action when P1 and P2 interleave. 6 Control-Flow Refinement 1.Expand a loop (P1 | P2)* using the above rule. 2.Use an invariant generation tool to check feasibility of above cases and accordingly expand recursively. The expanded code-fragment with simpler loops is easier to analyze. Invariants of simpler loops correspond to disjunctive invariants over the original loop.

8 Control-flow Refinement  Quantitative Attributes Instrumentation 7 Program Transformations

9 Example: Loop iterating over a data-structure Bound may require reference to quantitative attributes of a data-structure. E.g., Len(L): Length of list L. Inductive Invariant for the outer while-loop c · Old(Len(L)) - Len(L) – Len(ToDo) Æ Len(L) ¸ 0 Æ Len(ToDo) ¸ 0 This implies a bound of Old(Len(L)) for while loop. 8 BreadthFirstTraversal(List L): ToDo.Init(); L.MoveTo(L.Head(),ToDo); c:=0; while (! ToDo.IsEmpty()) c++; e := ToDo.Head(); ToDo.Delete(e); foreach successor s in e.Successors() if (L.contains(s)) L.MoveTo(s,ToDo);

10 User-defined Quantitative Attributes 9 Data Structure OperationUpdates to Quantitative Attributes L.Delete(e);Len(L)--; L.MoveTo(e,L’);Len(L)--; Len(L’)++; User describes semantics of quantitative attributes by stating how they are updated by various data-structure methods. Paper gives examples of quantitative attributes for trees, bit-vectors, composite structures (e.g., list of lists) –Trees: Height, Number of nodes –Bit-vectors: Number of 1 bits –List of lists: Sum of # of nodes in all nested lists.

11 1.Program Transformations –Reduce need for sophisticated invariant generation. –E.g., control-flow refinement, loop-flattening/peeling, non-standard cut-points, quantitative attributes instrumentation. 2.Colorful Logic –Language of Invariants –E.g., arithmetic, uninterpreted fns, lists/arrays 3.Fixpoint Brush –Automatic generation of invariants in some shade of logic, e.g., conjunctive/k-disjunctive/predicate abstraction. –E.g., Iterative, Constraint-based, Proof Rules 10 Art of Invariant Generation

12 We will now sketch a solution to the symbolic bound computation problem using the techniques learned. (Joint work with Florian Zuleger, TU-Darmstadt). We proceed by starting out with special cases and then generalizing. ¼ is immediately inside a loop.  Loop has only one transition/path s. –Loop has two transitions s 1 Ç s 2 –Loop has multiple transitions s 1 Ç … Ç s n –Loop has nested loops. ¼ can be any control-location. 11 Symbolic Bound Computation Problem

13 Consider the loop while (cond) X := F(X) Transition system representation s: cond Æ X’=F(X) Example: Transition system representation of the loop while (x < n) {x++; n--;} is x<n Æ x’=x+1 Æ n’=n-1 Algorithm: 1.Find a ranking function r for transition s: –r is a ranking fn for s if: s ) (r>0 Æ r[X’/X] · r-1) 2.Output Max(0,r) –Claim: Bound(s) · Max(0,r) 12 Bounding Iterations of Loops with one transition

14 Iterative Forward –Instrument counter c and find an upper bound n. n-c is a ranking function. Constraint-based –Assume a template a 0 +  i a i x i for the ranking function r and then solve for a i ’s in the constraint 9 a i (s ) (r>0 Æ r[X’/X] · r-1) using Farkas lemma –Goal directed –Complete PTIME method for synthesis of linear ranking fns. Podelski, Rybalchenko; VMCAI ‘04 Proof Rules –Most scalable, and effective for several domains. –We discuss design of a rank computer RankC based on some proof rules that can be discharged using SMT solvers. 13 Finding Ranking Functions

15 If s ) (e>0 Æ e[X’/X] < e), then e 2 RankC(s) RankC(i’=i+1 Æ i<n Æ i<m Æ n’=n Æ m’ · m) = { n-i, m-i } RankC(n>0 Æ n’ · n Æ A[n]  A[n’]) = If s ) (e ¸ 1 Æ e[X’/X] · e/2), then log e 2 RankC(s) RankC(i’ · i/2 Æ i>1 ) = { log i } RankC(i’=2 £ i Æ i>0 Æ n>i Æ n’=n) = { log (n/i) } 14 Arithmetic Iteration Patterns { n }

16 If s ) e Æ : e[X’/X], then Bool2Int(e) 2 RankC(s) RankC(flag’=false Æ flag) = { Bool2Int(flag) } RankC(x’=100 Æ x<100) = { Bool2Int(x < 100) } 15 Boolean Iteration Pattern

17 If s ) (LSB(x’) < LSB(x) Æ x  0), then LSB(x) 2 RankC(s) RankC(x’=x << 1 Æ x  0) = { LSB(x) } RankC(x’=x&(x-1) Æ x  0) = { LSB(x) } 16 Bit-vector Iteration Pattern

18 If s ) (x  z Æ Dist(x’,z) < Dist(x,z)), then Dist(x,z) 2 RankC(s) RankC(x  Null Æ x’=x.next) = { Dist(x,Null) } RankC(Mem’ = Update(Mem,x.next,x.next.next) Æ x  Null Æ x.next  Null) = { Dist(x,Null) } 17 Data-structure Iteration Patterns

19 Bounding Loop Iterations –Loop has only one transition/path s Constraint-based (Linear), Proof Rules  Loop has two transitions s 1 Ç s 2 Proof Rules –Loop has multiple transitions s 1 Ç … Ç s n –Loop has nested loops. Bounding Visits( ¼ ), where ¼ is any control-location. 18 Symbolic Bound Computation Problem

20 Bounding Loop Iterations –Loop has only one transition/path s Constraint-based (Linear), Proof Rules  Loop has two transitions s 1 Ç s 2 Proof Rules –Loop has multiple transitions s 1 Ç … Ç s n –Loop has nested loops. Bounding Visits( ¼ ), where ¼ is any control-location. 19 Symbolic Bound Computation Problem

21 Let r1 2 RankC(s1), r2 2 RankC(s2). Cooperative Interference CI(s1,r1,s2,r2): Non-enabling condition: s1 ± s2 = false Rank decrease condition: s1 ) r2[x’/x] · Max(r1,r2)-1 Proof Rule: If CI(s1, r1, s2, r2) and CI(s2,r2,s1,r1), then: Bound(s1 Ç s2) = Example: s1 = (n’=n-1 Æ j<n-1 Æ j’ ¸ j Æ i’=i) s2 = (n’=n-1 Æ i<n-1 Æ i’ ¸ i+1 Æ j’ ¸ i+2) r1 = n-j-1, r2 = n-i-1 Bound(s1 Ç s2) = Max(0, n-j-1, n-i-1) 20 Proof Rule for Max Composition Max(0, r1, r2)

22 Let r1 2 RankC(s1), r2 2 RankC(s2). Non-Interference NI(s1,s2,r2): Non-enabling condition: s1 ± s2 = false Rank preserving condition: s1 ) r2[x’/x] · r2 Proof Rule: If NI(s1,s2,r2) and NI(s2,s1,r1), then: Bound(s1 Ç s2) = Example: s1 = (z>x Æ x<n Æ x’=x+1 Æ Same({z,n}) ) s2 = (z · x Æ x<n Æ z’=z+1 Æ Same({x, n}) ) r1 = n-x, r2 = n-z Bound(s1 Ç s2) = Max(0, n-x) + Max(0, n-z) 21 Proof Rule for Additive Composition Max(0, r1) + Max(0,r2)

23 Let r1 2 RankC(s1), r2 2 RankC(s2). Proof Rule: If NI(s2,s1,r1), then: Bound(s1 Ç s2) = where u2(X) is an upper bound on r2[X’/X] as implied by s1. Example: s1 = (i’=i-1 Æ i>0 Æ j’=j-1 Æ j>0 Æ Same({k’,m’}) ) s2 = (j’=m Æ k’=k-1 Æ k>0 Æ Same({i’,m’}) ) RankC(s1) = {i,j}, RankC(s2) = {k} Bound(s1 Ç s2) = Max(0,k) + Max(0,m,j)*Max(0,k) or, Max(0,k) + Max(0,i) [Additive Composition] 22 Proof Rule for Multiplicative Composition Max(0,r1) + Max(0,r2) + Max(0,u2)*Max(0,r1)

24 Bounding Loop Iterations –Loop has only one transition/path s Constraint-based (Linear), Proof Rules –Loop has two transitions s 1 Ç s 2 Proof Rules  Loop has multiple transitions s 1 Ç … Ç s n Proof Rules –Loop has nested loops. Bounding Visits( ¼ ), where ¼ is any control-location. 23 Symbolic Bound Computation Problem

25 Iter(s i ) := ? ; do { for i 2 {1,..n} and r 2 RankC(s i ): J := { j | : NI(s j,s i,r) }; if (Iter[s i ] = ? ) Æ ( 8 j 2 J: Iter[s j ]  ? ) factor :=  j 2 J Iter (s j ); Let u(x) be upper bound on r[x’/x] implied by TC( Ç j  i s j ); Iter[s i ] := Max(0,r) + Max(0,u) * factor; } while any change in Iter array; If ( 8 1 · j · n: Iter[s j ]  ? ), return   · j · n Iter (s j ); Else return “Potentially Unbounded”; 24 Algorithm: ComputeBound(s 1 Ç  Ç s n )

26 Bounding Loop Iterations –Loop has only one transition/path s Constraint-based (Linear), Proof Rules –Loop has two transitions s 1 Ç s 2 Proof Rules –Loop has multiple transitions s 1 Ç … Ç s n Control-flow Refinement + Proof Rules  Loop has nested loops Iterative Forward: Recursively replace each nested loop by the transitive closure of its transition system. Bounding Visits( ¼ ), where ¼ is any control-location. 25 Symbolic Bound Computation Problem

27 To compute a precise bound of n for the outer loop, we need to summarize behavior of nested loop (n>0 Æ n’=n-1 Æ flag’=true) by following transitive closure: (n>0 Æ n’ · n-1 Æ flag’=true) Ç (flag’=flag) Observe that n’ · n is also a transitive closure, but it is too abstract to even conclude that outer loop terminates. 26 Example: TransitiveClosure Input: int n flag := true; while (flag) { flag := false; while (n>0 Æ nondet()) n := n-1; flag := true; }

28 We say that a relation R is TransitiveClosure(T) if Id ) R and R ± T ) R where Id is the relation X’=X Example of TransitiveClosure(s 1 Ç s 2 ) 27 TransitiveClosure Definition s 1 : i’=i+1 Æ j’=0 s 2 : i’=i Æ j’=j+1 (i’ ¸ i+1) Ç (i’=i Æ j’ ¸ j)

29 Let s 1 Ç  Ç s’ m be transitive closure of s 1 Ç  Ç s n. Then, –Id ) (s’ 1 Ç … Ç s’ m ) –(s’ 1 Ç … Ç s’ m ) ± (s 1 Ç … Ç s n ) ) (s’ 1 Ç … Ç s’ m ) Or, equivalently, s’ j ± s i ) (s’ 1 Ç … Ç s’ m ) Convexity-like assumption: Id ) s’ ± where ± 2 {1,…,m} s’ j ± s i ) s’ ¾ (j,i) where ¾ (j,i) 2 {1,...,m} A transitive closure with m disjuncts for a relation with n disjuncts corresponds to an integer q and a map ¾ : {1, ,n} £ {1, ,m} ! {1, ,n} We describe an algorithm for computing transitive closure that is stronger than s’ 1 Ç  Ç s’ m, given ± and map ¾. 28 Convexity-like Assumption

30 s’ ± := Id; for j 2 {1,…,m}/{ ± }: s’ j := false; do { for j 2 {1,…,m} and i 2 {1,…,n}: s’ k := Join(s’ k, s’ j ± s i ), where k = ¾ (j,i) } until no change in (s’ 1, …, s’ m ) Return (s’ 1 Ç … Ç s’ m ) 29 TransitiveClosure Algorithm The m*n disjuncts s’ j ± s i are merged/joined into n disjuncts using the map ¾. The distinguishing key idea is to stick with the same merging criterion determined by ¾ for all iterations. Precision Proof: s’ j stays stronger than desired solution. Termination may require widening, and precision is not guaranteed in that setting.

31 Bounding Loop Iterations –Loop has only one transition/path s Constraint-based (Linear), Proof Rules –Loop has two transitions s 1 Ç s 2 Proof Rules –Loop has multiple transitions s 1 Ç … Ç s n Control-flow Refinement + Proof Rules –Loop has nested loops Quantitative Attributes + Iterative Forward (Linear+UF)  Bounding Visits( ¼ ), where ¼ is any control-location. –Generate a transition system for ¼. 30 Symbolic Bound Computation Problem

32 1.Split ¼ into ¼ start and ¼ end. 2.If graph between ¼ start and ¼ end is a DAG, then expand the DAG into a set/disjunction of paths, each path representing relation among X and X’. Algorithm: GenerateTransitionSystem( ¼ )   ¼   ¼ start ¼ end Step 1

33 32 Algorithm: GenerateTransitionSystem( ¼ )   Step 3(b)   ¼ Header TransitiveClosure 3. If graph G between ¼ start and ¼ end is not a DAG: Foreach top-level loop L in graph G: a.T := TransitionSystem( ¼ Header ( L ) ) b.Remove back-edges, place TransitiveClosure(T) at the beginning of ¼ Header ( L ). Expand the resultant DAG into a set/disjunction of paths.

34 Input: Control Location ¼ 1.T := GenerateTransitionSystem( ¼ ) –T is a relation in DNF form among X and X’, where X: variables live at ¼ X’: values of variables X in the next visit to ¼ –Quantitative Attributes + Iterative Forward (Linear+UF) 2.B := 1+ComputeBound(T) –B denotes a symbolic bound in terms of inputs to T –Control-flow Refinement + Constraint-based (Linear), Proof Rules 3.B’ := TranslateBound(B, ¼ ) –Backward propagation based on Proof Rules Output: Bound B’ 33 Algorithm for Symbolic Bound Computation

35 Symbolic Bound Analysis –An application area waiting to benefit from advances in invariant generation technology. –Several important/open/challenging problems Concurrent Procedures, Average-case Bounds Art of Invariant Generation –Program Transformations + Colorful Logic + Fixpoint Brush –An effective solution for bound analysis involves using a variety of choices along each of these three dimensions. 34 Conclusion

Download ppt "TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A Sumit Gulwani (Microsoft Research, Redmond, USA) Symbolic Bound Computation."

Similar presentations

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
SSA and CPS CS153: Compilers Greg Morrisett. Monadic Form vs CFGs Consider CFG available exp. analysis: statement gen's kill's x:=v 1 p v 2 x:=v 1 p v.

SSA and CPS CS153: Compilers Greg Morrisett. Monadic Form vs CFGs Consider CFG available exp. analysis: statement gen's kill's x:=v 1 p v 2 x:=v 1 p v.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
SPEED: Precise & Efficient Static Estimation of Symbolic Computational Complexity Sumit Gulwani MSR Redmond TexPoint fonts used in EMF. Read the TexPoint.

SPEED: Precise & Efficient Static Estimation of Symbolic Computational Complexity Sumit Gulwani MSR Redmond TexPoint fonts used in EMF. Read the TexPoint.
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.

Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CS 355 – Programming Languages

CS 355 – Programming Languages
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.

Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Program Verification as Probabilistic Inference Sumit Gulwani Nebojsa Jojic Microsoft Research, Redmond.

Program Verification as Probabilistic Inference Sumit Gulwani Nebojsa Jojic Microsoft Research, Redmond.
Assertion Checking Unified Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Assertion Checking Unified Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.

Similar presentations

Ads by Google