Bit-Precise Constraints Applicat

Document Sample
Bit-Precise Constraints Applicat Powered By Docstoc
					FMCAD 2009 Tutorial
  Nikolaj Bjørner
 Microsoft Research
                          Tutorial Contents
 Some Bit-precise Microsoft Engines:
 -   PREfix:       The Static Analysis Engine for C/C++.
 -   Pex:          Program EXploration for .NET.
                                                                       Hyper-V
 -   SAGE:         Scalable Automated Guided Execution
 -   VCC:          Verifying C Compiler for the Viridian Hyper-Visor
 -   SpecExplorer: Model-based testing of protocol specs
 -   VS3:          Abstract interpretation and Synthesis


Bit-vector decision procedures by categories
     Bit-wise operations
                                                Fixed size
     Vector Segments
                                                Parametric, non-fixed size
     Bit-vector Arithmetic
Test input,
generated by Pex




           3
  QF_BV benchmarks in SMT-LIB
Number of
                 35000
benchmarks
                 30000
                 25000
                 20000
     Trivial     15000
                 10000
                  5000
                       0
                                                            From trivial to hard
                             2006    2007    2008   2009



      MB
               18000
               16000
               14000
               12000
               10000
                                                           SAGE
                8000
                6000
                4000
                2000
                   0                                        From 40MB to 18GB
                           2006     2007    2008    2009
 SAGE Experiments                 Most much (100x) bigger than ever tried before!



 • Seven applications – 10 hours search each
App Tested        #Tests   Mean Depth        Mean #Instr.         Mean Input
                                                                  Size
ANI               11468    178               2,066,087            5,400

Media1            6890     73                3,409,376            65,536

Media2            1045     1100              271,432,489          27,335

Media3            2266     608               54,644,652           30,833

Media4            909      883               133,685,240          22,209

Compressed File   1527     65                480,435              634
Format
OfficeApp         3008     6502              923,731,248          45,064
SAGE Architecture

                                          Coverage                     Constraints
        Input0
                                            Data




       Check for                Code                      Generate                     Solve
        Crashes               Coverage                   Constraints                 Constraints
     (AppVerifier)            (Nirvana)                   (TruScan)                     (Z3)




                                                     Input1
                                                        Input2
                                                          …

                                                             InputN


SAGE is mostly developed by
in the Windows division                                                Microsoft Research
Michael Levin et.al.                                                   algorithms/tools
SAGE: nuts and bolts
          xor


                +


          xor
                      The bottleneck in this case
                      Was to handle shared structures
                +     With alternated xor and addition.


          xor       xor


                +


          xor       xor
                                                                         -INT_MIN=
                                                                             INT_MIN
                      3(INT_MAX+1)/4 +
 int binary_search(int[] arr, int low,
                         (INT_MAX+1)/4      void itoa(int n, char* s) {
                  int high, int key)
                            = INT_MIN           if (n < 0) {
 while (low <= high)                               *s++ = ‘-’;
   {                                               n = -n;
      // Find middle value
                                               }
      int mid = (low + high) / 2;
                                               // Add digits to s
      int val = arr[mid];
      if (val == key) return mid;              ….
      if (val < key) low = mid+1;
      else high = mid-1;
    }
    return -1;
 }
Package: java.util.Arrays                Book: Kernighan and Ritchie
Function: binary_search                  Function: itoa (integer to ascii)
    int init_name(char **outname, uint n)            model for function init_name
    {                                                outcome init_name_0:
       if (n == 0) return 0;                           guards: n == 0
       else if (n > UINT16_MAX) exit(1);
       else if ((*outname = malloc(n)) == NULL) {
                                                       results: result == 0
                                                     outcome init_name_1:
                                                                                                        models
           return 0xC0000095; // NT_STATUS_NO_MEM;      guards: n > 0; n <= 65535
       }                                                results: result == 0xC0000095
       return 0;                                     outcome init_name_2:
    }                                                   guards: n > 0|; n <= 65535
                                                        constraints: valid(outname)
    int get_name(char* dst, uint size)                  results: result == 0; init(*outname)
    {                                                                                                  Can
       char* name;
       int status = 0;
                                                                                                   Pre-condition
                                                     path for function get_name
       status = init_name(&name, size);
                                                       guards: size == 0
                                                                                                   be violated?
       if (status != 0) {
           goto error;
                                                       constraints:
                                                       facts: init(dst); init(size); status == 0
                                                                                                         paths
       }
       strcpy(dst, name);
    error:
       return status;                                pre-condition for function strcpy
                                                       init(dst) and valid(name)
    }                                                                                                       Yes: name
                                                                                                              is not
  C/C++ functions                                                          warnings                         initialized

6/26/2009
                                             m_nSize == m_nMaxSize == UINT_MAX


            iElement = m_nSize;
            if( iElement >= m_nMaxSize )
            {                                                   iElement + 1 == 0
                 bool bSuccess = GrowBuffer( iElement+1 );
                 …
            }
            ::new( m_pData+iElement ) E( element );
            m_nSize++;                                              Code was
                                               Write in             written for
                                             unallocated          address space
                                              memory                 < 4GB

6/26/2009                                                          10
                                                           Overflow check
     ULONG AllocationSize;
     while (CurrentBuffer != NULL) {
          if (NumberOfBuffers > MAX_ULONG / sizeof(MYBUFFER)) {
               return NULL;                          Increment and exit
          }                                               from loop
          NumberOfBuffers++;
          CurrentBuffer = CurrentBuffer->NextBuffer;
     }
     AllocationSize = sizeof(MYBUFFER)*NumberOfBuffers;
     UserBuffersHead = malloc(AllocationSize);
                                                         Possible
                                                         overflow
6/26/2009                                                           11
                                                                  Possible overflow
        LONG l_sub(LONG l_var1, LONG l_var2)
        {
          LONG l_diff = l_var1 - l_var2; // perform subtraction
          // check for overflow
          if ( (l_var1>0) && (l_var2<0) && (l_diff<0) ) l_diff=0x7FFFFFFF
          …

                                          Forget corner
                                          case INT_MIN



6/26/2009                                                          12
                                                                Possible overflow


            for (uint16 uID = 0; uID < uDevCount && SUCCEEDED(hr); uID++) {
                …
                     if (SUCCEEDED(hr)) {
                    uID = uDevCount; // Terminates the loop


                                                            uID == UINT_MAX
                      Loop does not
                        terminate



6/26/2009                                                         13
                                        Can overflow


        DWORD dwAlloc;
        dwAlloc = MyList->nElements * sizeof(MY_INFO);
                                                            Not a proper test
        if(dwAlloc < MyList->nElements)
            … // return
        MyList->pInfo = malloc(dwAlloc);


                                                         Allocate less
                                                         than needed


6/26/2009                                                 14
                               More tools
•                 Short demo

• SpecExplorer
  2009

• Synthesis                                 Clear trailing 1 bits from vector
    [Gulwani, Jha, Tiwari, Venkatesan 09]
    [Gulwani, Jha, Tiwari, Seisha 09]
                                            (( x  1)  x)  1)  x
                                           Bit-vectors by example
                                                                                                                1   0   1        0   1    1
   1       0       1       0       1       1        0         1       1       0       0       1
                                                   =                                                                        
                                                                                                                0   1   1        0   0    1
       1       0       1       0       1       1       0   1       1       0       0       1
                                                                                                                            =
                                                                                                                0   0   1        0   0    1
 Vector                                                                                             Bit-wise
Segments                                                   Concatenation                           operations                    Bit-wise and
                                                                                                                1   0   1        0   1    1

                                                                                                                            +
   1       0       1       0       1           1                               0       1       0                0   1   1        0   0    1
                                                   [4:2] =
                                                                                                                            =
                                                                                                                0   0   0        1   0    0
 Vector                                                                                             Modular
Segments                                                               Extraction                  arithmetic                            Addition
                          Bit-vector theories
  bv [N: nat]: THEORY                [PVS: Butler et.al NASA-TR-96]
  BEGIN
   bit : TYPE = {n: nat | n <= 1}
   bvec : TYPE = [below(N) -> bit]
  END bv                             A bit-vector is a function
                                      from {0..N-1} to {0,1}




  NOT(bv: bvec[N]) : bvec =          Bit-wise negation
          (LAMBDA i: NOT bv(i)) ;


  Well-suited for
Bit-wise operations
                            Bit-vector theories
 (defund bvecp (x k)                                      [ACL2: Russinoff 05]
   (declare (xargs :guard (integerp k)))
   (and (integerp x)
        (<= 0 x)
        (< x (expt 2 k))))                       The number x is a k bit-vector if
                                                      0  x < 2k

  (defund lnot (x n)
    (declare (xargs :guard
         (and (natp x) (integerp n) (< 0 n))))
    (if (natp n)
                                                  Bit-wise negation
       (+ -1 (expt 2 n) (- (bits x (1- n) 0)))
       0))


  Well-suited for
(Modular) arithmetic
                            Bit-vector theories
subsection {* Bits *}
                                                          [HOL: Wong 93]
datatype bit = Zero ("\<zero>")                           [Isabelle: 09]
| One ("\<one>")
primrec bitval :: "bit => nat"
 where "bitval \<zero> = 0"                    A bit is the data-type
       | "bitval \<one> = 1“                        Zero or One.
primrec
                                               A bit-vector is a list of bits.
 bitnot_zero: "(bitnot \<zero>) = \<one>“
 bitnot_one : "(bitnot \<one>) = \<zero>"

subsection {* Bit Vectors *}
                                              Bit-wise negation
definition bv_not :: "bit list => bit list“
  where "bv_not w = map bitnot w"


 Well-suited for
Vector Segments
        Decision procedure scopes
Size assumptions


                                   Non-fixed
           Fixed size
                                     size


Optimized for


 Bit-wise                Vector             Modular
operations              Segments           arithmetic
            Bit-vectors not by example

t   ::                   a[ n ] , b[ n ] , c[ n ]           • Vars of length n
     |      t  t | t  t | t  t | div(t , t ) | t mod t
                                                   •           Arithmetic
     |                                             •
              lshl (t , t ) | rshl (t , t ) | rsha(t , t )     Shift
    |            1| 0 | t  t | t[n : m]           •           Concat, extract
    |           t  t | t  t | xor (t , t )       •           Bit-wise logical
 :: t[n] | t  s t | t u t | t  t |    |  •           Formulas
    Vector
                      Fixed size
   Segments

                                 x[8] = z[4] x[8] [3:2]  a[2]
                                 z[4] = x[8] [7:4] & y[8] [7:4]
                                                                           Cut, dice & slice
                                                                           [Bjørner, Pichora TACAS 98]
               x[8] [7:4]  x[8] [3:2]  x[8] [1:0] = z[4]  x[8] [3:2]  a[2]
               z[4] = x[8] [7:4] & y[8] [7:4]
                                                                            Bit-vectors cut into
                                                                            Disjoint segments
                   x[8] [7:4] = z[4]      x[8] [3:2] = x[8] [3:2]
                   x[8] [1:0] = a[2]      z[4] = x[8] [7:4] & y[8] [7:4]

[Cyrluk, Möller,                 [Bruttomesso,                              [Johannsen,
Rueß CAV 97]                     Sharygina ICCAD 09]                        Dreschler VLSI 01]
Bit-vector                       Backtracking Integration                   Reduce bit-width using
equation solver                  with modern SMT solver                     equi-SAT analysis
 Vector            Non-fixed
Segments             size

 t   :: a, b, c |1| 0 | t  t | t[n : m] | ext (t , n)
  ::              t  t |    |           Unification algorithms for
                                                non-fixed size bit-vectors
n, m ::                   kN  k '             [Bjørner, Pichora TACAS 98]
                                                            [Möller, Rueß FMCAD 98]
     ext (t , n)    Concatenate t with itself until reaching length n

                                              a[2]  0  d[1]
       a[2]  1  b[3 N ]                     c[2]  d[1]  1
        b[3 N ]  0  c[2]                   b[3 N ]  ext (0  d[1]  1,3N )
                                               0  d[1]  1            0  d[1]  1
                                                                  3N
 Modular
             Fixed size
arithmetic

Early focus:
• Normal forms and solving linear modular equalities
                    [Barrett, Dill, Levitt, DAC 98]

• Dedicated modular linear arithmetic
                     [Huang, Chen, IEEE 01]

• Reduction of modular linear arithmetic to Integer
  linear programmig
                    [Brinkmann, Drechsler, 02]
             Solving linear-modular equalities
      ax  by  c mod 2n                    2k ax  2l by  2m c mod 2n a, b, c odd


 k, l > m        Un-satisfiable                             eg.,
                                                                     8 x  6 y  3mod 232
 k=0                       1                               where,
                     x  a (2 c  2 by ) mod 2
                                m       l               n

                                                             1  gcd(a, 2n )  a 1a  t 2n
 l, m  k                      1     mk       l k
                          t 2  a (2
                            k
                                          c  2 by) by reduction, solve for:
 k>0                 x
                                    mod 2 nk       ax  2l  k by  2m k c mod 2n k
 Modular     Fixed
arithmetic    size
         Triangulate linear-modular equalities
2 x 6 y 9 z  13mod 2 4                                       [Müller-Olm & Seidl, ESOP 05]
                                                                Main point: algorithm does not
             2y       4 z  12 mod 2 4                         require computing gcd to find
                                                                inverse.
  x          2 y      z            2 mod 2 4
                  r1 := 2r1– r3
                                            2y        7 z  9 mod 2     4


                                            2y        4 z  12 mod 24
                                      x 2 y          z      2 mod 2   4


                                       r1 := r1– r2
                                                                       3z  15 mod 2             4



               Fixed
                                                               2y     4 z  12 mod 24
 Modular
arithmetic      size                                        x 2 y     z          2 mod 2      4
             Solving linear modular inequalities




                               Difference arithmetic reduces to a
                               basic path search problem

 Modular     Fixed
arithmetic    size
             Solving linear modular inequalities
                          v0  1mod N  v1                v0
                          v1  1mod N  v2                v1
                          v2  1mod N  v0                v2


                         (v0  N  1)  (v1  N  1)  (v2  N  1)  1



                          A unique node out of 3 must have value N-1



 Modular     Fixed
arithmetic    size
             Solving linear modular inequalities
                         v0  1mod N  v1
                         v1  1mod N  v2
                         v2  1mod N  v0




                        v0  e0  1mod N
                        w0  f 0  1mod N
                        f 0  1mod N  e0

                        Neighboring vertices have different
 Modular     Fixed      values/colors
arithmetic    size
                 conjunctions of                                         is NP-hard
             Solving linear modular inequalities
                            v0  1mod N  v1
                            v1  1mod N  v2
                            v2  1mod N  v0




                           v0  e0  1mod N
                            w0  f 0  1mod N
                            f 0  1mod N  e0

                            Neighboring vertices have different
 Modular     Fixed          values/colors
arithmetic    size                 [Bjørner, Blass, Gurevich, Muthuvathi, MSR-TR-2008-140]
                        Non-linear-modular constraints
             • Circuit equivalence using Gröbner bases:
                                                               n1 i   n1 i                 Formulate equivalence as
                             Spec:         r1  mult (a, b)    ai 2     bi 2  mod 2n
                                                               i 0     i 0     
                          r1=a*b mod 2m                                                          set of polynomial equalities.
                 a, b
                                                eq?
                                                                                                 Compute Gröbner basis.
                             Impl:
                                           r2
                                                      ni : (ai  bi  ci ) mod 2,               [Wienand et.al, CAV 08]
                                                      ci 1 : ai ci  aibi  bi ci mod 2,....


             • Factorization using Smarandache:
                p( x) : ax5  bx 4  cx3  dx 2  ex  f mod 23  0

                                      whenever           x( x  1)( x  2)( x  3) | p( x)       [Chen 96]
                                                                                                 [Shekharet.al, DATE 06]
             • Taylor-Expansion, Hensel lifting and Newton
               To solve p( x) mod 232  0 first use SAT solver for p( x) mod 2  0 then lift and check solution.
 Modular
arithmetic
             Fixed
              size
                                                                                                  [Babić, Musuvathu, TR 05]
 Modular      Non-fixed                Bit-vector addition is expressible
arithmetic      size                   using bit-wise operations and
                                       bit-vector equalities.

     1    0     1   0     1    1       out = xor(x, y, c)
                                       c’ = (xy)(xc)  (yc)
+                                      c[0] = 0
                                       c’[N-2:0] = c[N-1:1]
    0     1    1    0     0    1

                                          Encoding does not accommodate
                                          bit-vector multiplication.
    FA   FA    FA   FA    FA   FA
                                          What is possible for multiplication?
                                          Eg, working with p-adics?
                                    Note:
                                    x yc
                                                out  xor(x, y, c)
    0     0    0    1     0    0     FA         c’  (xy)  (xc)  (yc)
                                    c’ out
 Bit-wise
              Fixed size
operations

Two approaches
• SAT reduction (Boolector, Z3,…)
  – Circuit encoding of bit-wise predicates.
  – Bit-wise operations as circuits
  – Circuit encoding of adders, multipliers.
• Custom modules
  – SWORD [Wille, Fey, Groe, Eggersgl, Drechsler, 07]
  – Pre-Chaff specialized engine [Huang, Chen, 01]
                  Encoding circuits to SAT - addition
              1        0    1   0    1    1            out = xor(x, y, c)
                                                       c’ = (xy)  (xc)  (yc)
   +                                                   c[0] = 0
             0         1   1    0    0    1            c’[N-2:0] = c[N-1:1]


                                                       outi  xor(xi, yi, ci )
             FA       FA   FA   FA   FA   FA           ci+1  (xiyi)  (xici)  (yici)
                                                       c0    0


                                               (xiyi ci  outi)  (outi xi yi  ci) 
             0         0   0    1    0    0    (xi ci  outi  yi )  (outi  yi  ci  xi) 
                                               (ci  outi  xi  yi )  (outi  xi  ci  yi) 
                                               (yi  outi  xi  ci )  (outi  xi  yi  ci) 
                                               (xiyi  ci+1)  (ci+1  xi yi ) 
                                               (xici  ci+1)  (ci+1  xi ci ) 
                                               (yici  ci+1)  (ci+1  yi ci ) 
 Bit-wise     Fixed                            c0
operations     size
             Encoding circuits to SAT - multiplication
              a0b3           a0b2           a0b1       a0b0
                                                                  O(n2) clauses
               HA     a1b2    HA a1b1        HA     a1b0

                                                                  SAT solving time increases
               FA
                      a2b1
                               FA
                                      a2b0                       exponentially. Similar for
                                                                  BDDs.
                                                                  [Bryant, MC25, 08]
                      a3b0
              FA
                                                                  Brute-force enumeration +
             out3             out2            out1        out0    evaluation faster
                                                                  for 20 bits.
                                                                  [Matthews, BPR 08]

 Bit-wise    Fixed
operations    size
         Equality propagation and bit-vectors in Z3
       • Dual interpretation of bit-vector equalities:

             1. The atom (v = w) is assigned by SAT solver to T or F.

                     Propagate between vi and wi


             2. A bit vi is assigned by SAT solver to T or F.

                     Propagate vi to wi whenever(v = w) is assigned to T,

 Bit-wise    Fixed
operations    size
                               Overflow check

      Unsigned multiplication
                     x u y        (0n  x  0n  y)[2n  1: n] 0n 
                          5s                          650K                90K




 Bit-wise    Fixed
operations    size
             A more economical overflow check
                 msb( x) msb( y )  n                   Always overflows               [Gök 06]


                 msb( x) msb( y )  n                   Never overflows



                 msb( x) msb( y )  n                   Only overflows into n+1 bits




                                               msb( x) msb( y)  n               
                     x u y                                                     
                                     (msb( x) msb( y)  n  (0 x  0 y)[n]  0) 

 Bit-wise    Fixed
operations    size
              A more economical overflow check
                 msb( x ) msb( y )  n           Always overflows



                 msb( x ) msb( y )  n           Never overflows



                 msb( x ) msb( y )  n           Only overflows into n+1 bits



                                 50ms                     150K                       35K




             1 bit          64 bits       1 bit      64 bits         1 bit       64 bits
 Bit-wise      Fixed
operations      size
                             Limiting the entropy
                                                                 [Bryant et.al. 07]
       Main idea:                                                [Brummayer, Biere 09]

        Search for model while fixing (most significant) bits.
       Method similar to small model search:

                                                      Yes: SAT                 No: UNSAT
               Select set of bits from .                          CORE
                                                is               depends on
                Assume the bits to be 0
                                               SAT                 selected
                (or 1 or same as ref bit)                 No
                                                                     bits?


                                             Unfix bits          Yes
 Bit-wise    Fixed
operations    size
  Bit-wise          Non-fixed
                                         Repeat bit t   Bit-wise           Negate
 operations           size               n times.       and                bits of t


 t      :: a, b, c | t  t | t[n : m] | rep(t , n) | t  t | t | t
  ::                         t  t |    |                           Fold and on
                                                                           bits from t
n, m ::                            xi  k | k
                                                Allow length to be parameterized
                                                by more than one variable


     [Pichora 03]
     Provides Tableau search procedure for Satisfiability.
     Shows that the problem is PSPACE complete.
                  A few remarks
• We presented different views on the theory of bit-
  vectors. Arithmetic, Concatenation, Bit-wise.
• Most software analysis applications require bit-
  precise analysis.
• Software applications objective:
  – use bit-vector operations.
  – Not as much verify circuits.
• Still, existing challenges and solutions are shared.
                                                         References
Wong: Modeling Bit Vectors in HOL: the word library [TPHOL 93]                  Bryant, Kroening, Ouaknine, Seshia, Strichman, Brady An Abstraction-
Butler, Miner, Srivas, Greve, Miller: A Bitvectors library for PVS. [NASA 96]    Based Decision Procedure for Bit-Vector Arithmetic [TACAS 2007]
Cyrluk, Möller, Rueß: An Efficient Decision Procedure for the Theory of         Wille, Fey, Groe, Eggersgl, Drechsler: SWORD: A SAT like prover using word
  Fixed-Sized Bit-Vectors. [CAV 97]                                              level information. [VLSISoC 2007]
Barrett, Dill, Levitt: A decision procedure for bit-vector arithmetic [DAC98]   Ganesh ,Dill: Decision Procedure for Bit-Vectors and Arrays [CAV07]
Bjørner, Pichora Deciding Fixed and Non-fixed Size Bit-vectors [TACAS 98]       Bit-vectors in MathSAT4: [CAV07]
Möller, Rueß: Solving Bit-Vector Equations. [FMCAD 98]                          Ganai, Gupta.SAT-based Scalable Formal Verification Solutions. [Book
Möller [Diploma thesis 98]                                                       2007[.
Huang, Cheng: Assertion checking by combined word-level ATPG and                Olm, Seidl: Analysis of Modular Arithmetic [TOPLAS 07]
  modular arithmetic constraint-solving techniques [DAC 00]                     Krautz, Wedler, Kunz, Weber, Jacobi, Pflanz: Verifying full-custom
Huang, Cheng:: Using word-level ATPG and modular arithmetic constraint-          multipliers by Boolean equivalence checking and an arithmetic bit level
  solving techniques for assertion property checking [IEEE 01]                   proof [ASPDAC 08]
Johannsen, Dreschler: Formal Verification on the RT Level Computing One-        Wienand, Wedler, Stoffel, Kunz, Greuel: An Algebraic Approach for Proving
  To-One Design Abstractions by Signal Width Reduction [VLSI'01]                 Data Correctness in Arithmetic Data Paths [CAV 08]
Brinkmann, Drechsler RTL-Datapath Verification using Integer Linear             Workshop on bit-precise reasoning at CAV 08.
  Programming (02)                                                              Bruttomesso, Sharygina: A Scalable Decision Procedure for Fixed-Width
Ciesielski, Kalla, Zeng, Rouzyere. Taylor Expansion Diagrams: A Compact          Bit-Vectors [ICCAD 09]
  Canonical Representation with Applications to Symbolic Verification.          Brummayer, Biere, Lemmas on Demand for the Extensional Theory of
  [DATE 02].                                                                     Arrays. [SMT 08]
Pichora Twig [PhD. Thesis 03]                                                   Brummayer, Biere, Consistency Checking of All Different Constraints over
Babic, Madan Musuvathi Modular arithmetic Decision Procedure, [MSR-              Bit-Vectors within a SAT-Solver [FMCAD 08]
  TR-2005-114]                                                                  Brummayer, Biere Effective Bit-Width and Under-Approximation.
Shekhar, Kalla, Enescu: Equivalence verification of arithmetic datapaths         [EUROCAST 09]
  with multiple word-length operands [EDAA 05]                                  He, Hsiao: An efficient path-oriented bitvector encoding width computation
Russinoff: A Formal Theory of Register-Transfer Logic and Computer               algorithm for bit-precise verification [DATE 09]
  Arithmetic [web pages 2005]                                                   Moy, Bjorner, Sielaff: Modular Bug-finding for Integer Overflows in the
Muller-Olm, Seidl: Analysis of modular arithmetic [ESOP 05]                      Large: Sound, Efficient, Bit-precise Static Analysis [MSR-TR-2009]
      Available SM(BV) Tools
BAT         http://www.ccs.neu.edu/home/pete/bat/index.html
Beaver      http://uclid.eecs.berkeley.edu
Boolector   http://fmv.jku.at/boolector
CVC3        http://www.cs.nyu.edu/acsys/cvc3
MathSAT4    http://mathsat4.disi.unitn.it
OpenSMT     http://verify.inf.unisi.ch/opensmt
Spear       http://domagoj-babic.com/index.php/ResearchProjects/Spear
STP#101     http://people.csail.mit.edu/vganesh/STP_files/stp.html
SWORD       http://www.smtexec.org/exec/competitors2009.php

Yices2      http://yices.csl.sri.com/
Z3          http://research.microsoft.com/projects/z3
Twig        http://www.cs.utoronto.ca/~mpichora/twig/download.html
Abstract Interpretation
       and modular arithmetic


See Blog by Ruzica Piskac,             Material based on:
http://icwww.epfl.ch/~piskac/fsharp/   King & Søndergård, CAV 08
                                       Muller-Olm & Seidl, ESOP 2005
Transition system:

   L                 locations,
   V                 variables,
   S = [V  Val]     states,
   RLSSL         transitions,
   S               initial states
   ℓinit  L         initial location

Concrete reachable states:     CR: L  (S)

Abstract reachable states:     AR: L  A

Connections:
  ⊔:AAA
   : A  (S)
  :SA
   : (S)  A      where (S) = ⊔ {(s) | s  S }
Concrete reachable states:

CR ℓ x   x  ℓ = ℓinit
CR ℓ x  CR ℓ0 x0  R ℓ0 x0 x ℓ

Abstract reachable states:

AR ℓ x  ((x))  ℓ = ℓinit
AR ℓ x  ((AR ℓ0 x0)  R ℓ0 x0 x ℓ)

Why? fewer (finite) abstract states
Abstract reachable states:

  AR ℓinit    ()

Find interpretation M:

  M ⊨ (AR ℓ0 x0)  R ℓ0 x0 x ℓ  (AR ℓ x)

Then:

  AR ℓ        AR ℓ ⊔ (xM)
States are linear congruences:
  A V = b mod 2m

   V is set of program variables.
   A matrix, b vector of coefficients [0.. 2m-1]
ℓ0: y x; c 0;
ℓ1: while y != 0 do [ y y&(y-1); c  c+1 ]
ℓ2 :


When at ℓ2 :
  y is 0.
  c contains number of bits in x.
  States are linear congruences:
      2   3  x0    1        
          x      3 mod 2  
                                 3

      1   1  1              

   2 x0  3x1  1mod 23  x0  x1  3mod 23 

As Bit-vector constraints (SMTish syntax):
 (and
  (= (bvadd (bvmul 010 x0) (bvmul 011 x1)) 001)
  (= (bvadd x0 x1) 011)
 )
                  1 0   x   1 
 ( x  1, y  2)       y    2
                  0 1     

(A V = b mod 2m ) ⊔ (A’ V = b’ mod 2m)
                                                      s 
                         1     1       0    0    0   1  1 
  Combine:               b    0       A    0    0   s2  0 
                                                     x1    
                         0    b '     0    A'   0    0 
                                                    x         
                         0     0       I   I   I   2  0 
                                                      x
                                                       

  Triangulate (Muller-Olm & Seidl)
  Project on x

				
DOCUMENT INFO