Efficient Decision Procedure for Bounded Integer Non-linear - - PowerPoint PPT Presentation

Efficient Decision Procedure for Bounded Integer Non-linear Operations using SMT(LIA LIA)

Oct 28, 2008 Malay Ganai System Analysis & Verification Group NEC Labs America Princeton, U. S. A.

2

Outline

Motivation Existing Approaches Our Approach Experiments Conclusions

3

Motivation

Theory of non-linear operations: un-decidable, in general

– imprecise formulation and/or incomplete reasoning adopted

Non-linear integer operations on program variables occur

sparingly in application programs

– multiplication, divide, left and right shifts, mod, bitwise

Overflow and Underflow are not used as a programming

feature typically

– signed over/under flow not defined (C99/C++98 standard) – programmers avoid them due to portability reasons

• more interested in detection: knowing if overflow/underflow occurs
• less interested in casualties: knowing how overflow/underflow affects

– exploited by most static analysis methods (abstract interpretation)

• soundness results depend on un-boundedness of variables

4

Existing Approaches (1/2)

• Encoding: Bit-blasting, Solver: Boolean SAT

– Both operands bounded – Bit-blasting linear integer arithmetic can lead to large formula – Arithmetic semantics is “lost” in such encoding – For eg: CBMC

• Encoding: Bit-vector Arithmetic, Solver: SMT(BV)

– Preprocessor followed by a Boolean SAT – overflow/underflow handled specific to machines architecture – precision/scalability trade-off? – For eg: Calysto (Program Analysis) using Spear

• Abstractions/Refinement

– Iterative steps

• SAT solver on (under-approx) bounded data paths,
• an abstraction on UNSAT core, followed by
• a refinement guided by Presburger/SAT solver

– No incremental formulation

• each problem solved and generated separately

– For eg: ASAP, DP for bit-vector using abstraction

5

Existing Approaches (2/2)

Encoding: Booleanization, Solver: SMT(LIA)

– Naïve encoding for non-linear multiplications, bit-wise operations – Booleanization followed by Linearization

Given integer x ∈ [0,2N) Introduce integer-vars xk = [0,1] for 0 ≤ k ≤ N-1 Boolean vector: BN-1 … Bk … B0 representing x

– No guidance to SMT(LIA)

• Solver has to guess Bk

’s as it is not explicitly related to x

– For eg: MathSat

x x

k N k c k

∑ ∗ =

− = 1 02

) 1 ( == =

∏

x B

k k k

Bitwise Relational Decomposition (BRD)

Linear Constraint Boolean Constraint

6

Our Approach: Highlights

Better Encoding (over BRD)

– Bit-wise structural decomposition (BSD)

• Structural relationship between a variable and its decomposition

provides better guidance to solver

– Linearize multiplier, divide, mod, shifts – Linearization criteria

• rules to select non-linear operand for BSD.

Lazy Bound Refinement (LBR) algorithm

– Incremental formulation using under and over-approximations

• Successive refined problems are solved incrementally

– Refinement step

• tighten bounds for un-decomposed variables (X variables)
• relax bounds for decomposed variables (Y variables)

– Exploits SMT(LIA) solvers’ incremental solving capability

• assertion/retraction of bound constraints are typically supported

7

Our Approach: Overview

SMT(NLIA NLIA) Boolean combination

• f Non-Linear + Linear

Integer Arithmetic

• n bounded integers

Linear Arithmetic Constraints “Linearize” Integer Non-linear Operations ( ∗, /, %, <<, >>, &, ||, ⊗) SMT(LIA LIA) Solver LBR DP: Encoding + LBR LBR

8

Linearization (multiplier)

• MULT: z = u ∗ v, with u,v unsigned integer (u ≥0, v>0 )
• Select u for Boolean decomposition, UN-1 …U0

0 =

r ) , 2 , (

1

v U ITE r r

C k k k k

∗ + =

+

1 − ≤ ≤ N k r z

N

=

Partial Sum Final result Initialize

• z = x ∗ y, with x,y signed integer

v u v u z

L

∗ = ∗ =

Linearized Multiplier: if

) 2 (

N

u <

) , , ( ) , , ( ) , , ( w w x y ITE z v u w y y y ITE v x x x ITE u

L

− < ⊗ < = ∗ = − < = − < =

9

Linearization (divide, mod)

• DIV: d = u/v, with u≥0,v>0 (general case similar to multiplier)
• MOD: r=u%v, with u≥0,v>0 (general case similar to multiplier)

))) , , 1 ( , , ( , , ( t u v ITE v u ITE u v u ITE r − == == < = u v t v u

L

≤ ∗ ≤ + − 1

Bounding Constraint DIV

t ))) , , 1 ( , 1 , ( , , ( t u v ITE v u ITE v u ITE d == == < =

is integer-var MOD

10

Linearization (bit-wise operation)

• z = u bop v, with u,v unsigned integer, bop ∈ {&,||, ⊗}
• UN-1 …U0 and VN-1 …V0 are bit decomposition of U and V, resp.

0 =

r ) , 2 , (

1 k k bop k k k

V U ITE r r + =

+

r z

N

=

Partial Sum Final result Initialize

1 − ≤ ≤ N k

11

Lazy Bounding and Refinement (LBR LBR): Overview

Input

– Formula: SMT(LIA) φL(linearized formula) – Partition term sets:

• X = {x1. …xn} terms not bit-decomposed
• Y = {y1. …ym} terms bit-decomposed

– Bounding constraints: -2N ≤ xi,yj < 2N

Incremental Formulation

– Do not re-encode the linearized formula φL – Use assert/retract procedures of the SMT(LIA) solver to tighten/relax bounding constraints

Start yj variables with small bound, relax as needed

– -b(yj) ≤ yj < b(yj), with b(yj) = 2β , 0<β≤N

– predicates Bk (kth bit of yj) gets simplified to false for k≥β – increase β as required

Start xi variables with no bounds, tighten as needed

– add constraints -2N ≤ xi < 2N as needed

12

Relax Bound SMT_Retract(φYb) SMT_Assert(φXb) SMT_Assert(φYb)

LBR LBR Algorithm (flow)

Y Y X y b

b b Y y

= Φ = = ∀ ∈ ; 1 ) (

) 2 2 ( )) ( ) ( (

N N X b x X b Yb y Yb

x y b y y b < ≤ − = < ≤ − =

∧ ∧

∈ ∈

ϕ ϕ

)) ( ) ( ( y b y y b

Yb y Yb

< ≤ − =∧ ∈ ϕ

Linearized SMT(LIA) : φL Partition term-sets: X,Y SMT_Init(φL) SMT_Check SAT? Yb := {y | -b(y) ≤ y or b(y) < y) cause for UNSAT with b(y) < 2N} Yb =∅?

) ( 2 ) ( y b y b

Y y

b

∗ ← ∀ ∈

Xb’ := Xb ∪ {x | -2N > α(x)

• r 2N ≤ α(x)}

Xb’=Xb? Tighten Bound Xb←Xb’ SAT UNSAT Tighten Bound Relax Bound Y N N Y N Y α: sat assgn

13

LBR LBR: Termination and Correctness

Theorem 1: LBR always terminates

It requires O(n+N.m) iterations where – n is the number of X variables, – m is the number of Y variables – [-2N,2N) is the system bound

Theorem 2: LBR decides correctly

Let φall be φL with -2N ≤ xi,yj < 2N Let φi be the formula at ith iteration when LBR terminates – Claim: φall satisfiable iff φi is satisfiable.

14

Linearization Criteria (LC)

• Given z = u ∗ v, prefer u over v as per following rules
• R1: u is an input operand to more MULT

– to reduce number of operands considered for bit decomposition

• R2: u has a fewer MULT in its transitive input

– to reduce bound relaxing refinements

• R3: u has lower bound size

– to reduce bound relaxing refinements

} , , { } , , { } , { } , {

3 2 1 3 2 1 2 1 2 1

u u w Y u u u Y u w Y u u Y

d c b a

= = = =

Example Candidate-sets for decomposition Apply LC ∗ ∗ u2 u1 u2 u3 ∗

w2=u1∗ w1 w1=u2* u2 w3=u2* u3

15

Linearization Criteria (LC)

• Given z = u ∗ v, prefer u over v as per following rules
• R1: u is an input operand to more MULT

– to reduce number of operands considered for bit decomposition

• R2: u has a fewer MULT in its transitive input

– to reduce bound relaxing refinements

• R3: u has lower bound size

– to reduce bound relaxing refinements

} , , { } , , { } , { } , {

3 2 1 3 2 1 2 1 2 1

u u w Y u u u Y u w Y u u Y

d c b a

= = = =

Example Candidate-sets for decomposition Apply LC ∗ ∗ u2 u1 u2 u3 ∗

w2=u1∗ w1 w1=u2* u2 w3=u2* u3

16

Linearization Criteria (LC)

• Given z = u ∗ v, prefer u over v as per following rules
• R1: u is an input operand to more MULT

– to reduce number of operands considered for bit decomposition

• R2: u has a fewer MULT in its transitive input

– to reduce bound relaxing refinements

• R3: u has lower bound size

– to reduce bound relaxing refinements

} , , { } , , { } , { } , {

3 2 1 3 2 1 2 1 2 1

u u w Y u u u Y u w Y u u Y

d c b a

= = = =

Example Candidate-sets for decomposition Apply LC ∗ ∗ u2 u1 u2 u3 ∗

w2=u1∗ w1 w1=u2* u2 w3=u2* u3

17

Linearization Criteria (LC)

• Given z = u ∗ v, prefer u over v as per following rules
• R1: u is an input operand to more MULT

– to reduce number of operands considered for bit decomposition

• R2: u has a fewer MULT in its transitive input

– to reduce bound relaxing refinements

• R3: u has lower bound size

– to reduce bound relaxing refinements

} , , { } , , { } , { } , {

3 2 1 3 2 1 2 1 2 1

u u w Y u u u Y u w Y u u Y

d c b a

= = = =

Example Candidate-sets for decomposition Apply LC ∗ ∗ u2 u1 u2 u3 ∗

w2=u1∗ w1 w1=u2* u2 w3=u2* u3

18

Linearization Criteria (LC)

• Given z = u ∗ v, prefer u over v as per following rules
• R1: u is an input operand to more MULT

– to reduce number of operands considered for bit decomposition

• R2: u has a fewer MULT in its transitive input

– to reduce bound relaxing refinements

• R3: u has lower bound size

– to reduce bound relaxing refinements

} , , { } , , { } , { } , {

3 2 1 3 2 1 2 1 2 1

u u w Y u u u Y u w Y u u Y

d c b a

= = = =

Example Candidate-sets for decomposition Apply LC ∗ ∗ u2 u1 u2 u3 ∗

w2=u1∗ w1 w1=u2* u2 w3=u2* u3

19

Linearization Criteria (LC)

• Given z = u ∗ v, prefer u over v as per following rules
• R1: u is an input operand to more MULT

– to reduce number of operands considered for bit decomposition

• R2: u has a fewer MULT in its transitive input

– to reduce bound relaxing refinements

• R3: u has lower bound size

– to reduce bound relaxing refinements

} , , { } , , { } , { } , {

3 2 1 3 2 1 2 1 2 1

u u w Y u u u Y u w Y u u Y

d c b a

= = = = Y Y Y Y R

b a d c

, , : 1 p

Example Candidate-sets for decomposition Apply LC ∗ ∗ u2 u1 u2 u3 ∗

w2=u1∗ w1 w1=u2* u2 w3=u2* u3

20

Linearization Criteria (LC)

• Given z = u ∗ v, prefer u over v as per following rules
• R1: u is an input operand to more MULT

– to reduce number of operands considered for bit decomposition

• R2: u has a fewer MULT in its transitive input

– to reduce bound relaxing refinements

• R3: u has lower bound size

– to reduce bound relaxing refinements

} , , { } , , { } , { } , {

3 2 1 3 2 1 2 1 2 1

u u w Y u u u Y u w Y u u Y

d c b a

= = = = Y Y R Y Y Y Y R

a b b a d c

p p : 2 , , : 1

Example Candidate-sets for decomposition Apply LC ∗ ∗ u2 u1 u2 u3 ∗

w2=u1∗ w1 w1=u2* u2 w3=u2* u3

21

BSD: Bitwise Structural Decomposition

• Input: Bounded unsigned integer u ∈ [0, 2N)
• Output: Boolean decomposition, BN-1 …Bk … B0

) 2 (

k k k

t B ≥ = 1 ≥ ≥ − k N

(

) , 2 ,

1

t t B ITE t

k k k k k

− =

−

1 ≥ ≥ − k N u t N =

Compared to BRD approach

No new integer variables, but – Additional N-1 linear constraints are introduced – Structural relationship between Boolean and intermediate terms is captured explicitly (pre-computed learning ) Note, y=ITE(S,a,b) is encoded using 2 CNF clauses Boolean Constraint Linear Constraint

22

BSD Unfolded (example)

1101 1 ) 2 1 ( 1 ; ) 2 1 ( 1 2 5 ; 1 ) 2 5 ( 5 2 13 ; 1 ) 2 13 ( ; 13

1 2 3 1 1 1 2 1 2 2 3 2 3 3 3

≡ = ≥ = = = = ≥ = = − = = ≥ = = − = = ≥ = = = B B B B B t t B t B t B u t

23

Encoding from φ to φL : Summary

Input φ: SMT(NLIA), System bound: [-2N,2N) Ouput φL: SMT(LIA) (linearized formula) Partition terms into X and Y set using LC

– X = {x1. …xn} variables that will not be decomposed – Y = {y1. …ym} variables that will be decomposed

Decompose Y variables using BSD

– Add Boolean constraints for ITE, predicates – Add intermediate term linear equation

Linearize non-linear operations

– Add Boolean constraints for ITE, predicates – Add linear constraints (partial sum)

24

Application: Software verification

1: int foo (int x) { 2: int s = x+2; 3: int t = s-3; 4: if ( t>6 ) 5: t = t * x; 6: else 7: t = t-1; 8: s += t; 9: return s; 10: } 1: int foo (int x) { 2: int s = x+2; 3: int t = s-3; 4: if ( t>6 ) 5: t = t * x; 6: else 7: t = t-1; 8: s += t; 9: return s; 10: } s = x+2; t = x-1; t = t * x; t=t-1; s += t; t > 6 ! (t > 6)

t

• ∗
• t

1 t x 1 x B2 B1 B0 t’

CFG 3 2 1

SMT problem with Linear + Non-Linear Integer Arithmetic

• n bounded integers

Linear Arithmetic Constraints “Linearize” Integer Non-linear Operations ( ∗, /, %, <<, >>, &, ||, ⊗) SMT (LIA) Solver LBR DP: Encoding + LBR SMT problem with Linear + Non-Linear Integer Arithmetic

• n bounded integers

Linear Arithmetic Constraints “Linearize” Integer Non-linear Operations ( ∗, /, %, <<, >>, &, ||, ⊗) SMT (LIA) Solver LBR DP: Encoding + LBR

F-Soft

CFG Gen Model Gen BMC

25

Experiments (Comparisons)

Solvers

– LBR + SMT(LIA) solver yices (1.0.11) – SMT(BV) solver Z3 (ver 1.1)

Linearization Criteria (for BSD)

– LC (with linearization criteria R1-R3) – NLC (does not follow R1-R3)

Encoding

– BRD (bitwise relation decomposition) – BSD (bitwise structural decomposition)

Decision procedures (uses BSD)

– LBR-LE (Lazy bounds on X, Eager bounds on Y) – LBR-EL (Eager bounds on X, Lazy bounds on Y) – LBR-LL (Lazy bounds on X, Lazy Bounds on Y)

26

Experiment-1 (Controlled)

TO 60.3 7 3 33 8.0 3.6 3.3 TO 4 2 34 D:f4,f6(c5) TO 60.6 7 3 33 13.2 14.3 10.7 TO 6 2 34 D:f4,f6(c4) TO 61.9 7 3 33 9.2 3.6 3.3 TO 4 2 34 D:f4,f6(c4) TO 50.9 7 3 33 21.4 13.9 10.1 TO 6 2 34 D:f4,f6(c3) TO 169.0 10 3 33 154.0 118.4 86.3 TO 10 2 34 D:f4,f6(c2) TO 68.9 8 3 33 47.5 43.3 19.2 TO 8 2 34 D:f4,f6(c1) 328 297.1 7 6 58 560.8 121.8 104.3 TO 4 5 59 D:f1,f4,f5 TO TO

• 6

48 58.2 32.9 16.0 TO 2 4 50 D:f2,f3 1 0.8 2 2 20 9.5 3.7 3.1 TO 2 2 20 S:f1 195 3.6 4 2 18 1.6 0.5 0.7 TO 2 1 19 S:f2 38 123.0 4 5 47 286.2 10.8 10.9 TO 2 3 49 S:f1,f3 175 10.1 4 3 37 54.5 1.4 2.1 TO 2 2 38 S:f1,f2 1 528.1 4 6 46 58.4 3.8 4.1 TO 2 2 50 S:f2,f3 X:L Y:L #R ny nx X:L Y:L X:L Y:L X:E Y:L X:L Y:E #R ny nx NLC-LL BRD-LL LBR-LL LBR-EL LBR-LE Z3 No LC With linearization criteria (LC) DP

Time Limit: 600s (1000s for Z3) Platform: 3.4GHz Linux (windows for Z3)

27

Experiment-1

TO 60.3 7 3 33 8.0 3.6 3.3 TO 4 2 34 D:f4,f6(c6) TO 60.6 7 3 33 13.2 14.3 10.7 TO 6 2 34 D:f4,f6(c5) TO 61.9 7 3 33 9.2 3.6 3.3 TO 4 2 34 D:f4,f6(c4) TO 50.9 7 3 33 21.4 13.9 10.1 TO 6 2 34 D:f4,f6(c3) TO 169.0 10 3 33 154.0 118.4 86.3 TO 10 2 34 D:f4,f6(c2) TO 68.9 8 3 33 47.5 43.3 19.2 TO 8 2 34 D:f4,f6(c1) 328 297.1 7 6 58 560.8 121.8 104.3 TO 4 5 59 D:f1,f4,f5 TO TO

• 6

48 58.2 32.9 16.0 TO 2 4 50 D:f2,f3 1 0.8 2 2 20 9.5 3.7 3.1 TO 2 2 20 S:f1 195 3.6 4 2 18 1.6 0.5 0.7 TO 2 1 19 S:f2 38 123.0 4 5 47 286.2 10.8 10.9 TO 2 3 49 S:f1,f3 175 10.1 4 3 37 54.5 1.4 2.1 TO 2 2 38 S:f1,f2 1 528.1 4 6 46 58.4 3.8 4.1 TO 2 2 50 S:f2,f3 X:L Y:L #I ny nx X:L Y:L X:L Y:L X:E Y:L X:L Y:E #I ny nx NLC-LL BRD-LL LBR-LL LBR-EL LBR-LE Z3 No LC With linearization criteria (LC) DP

S:f2,f3 ≡ Solve: f2(x)=0 ∧ f3(x,y)=0 D:f2,f3 ≡ Solve: f2(x1)=0 ∧ f3(x2,y)=0

c xy c y x f x x x f y y y y f y x xy z yz xz xyz y x f x x x x f y xy xy x y x y x f − = + − = + + + = + + + + + + + = + + + = + + + + + = ) , , ( 2 3 ) ( 729 243 27 ) ( 12 18 4 6 24 36 8 12 ) , ( 27 27 9 ) ( 330 30 143 13 11 ) , (

6 2 5 2 3 4 3 2 3 2 2 2 1

(c: products of primes)

Time Limit: 600s (1000s for Z3) Platform: 3.4GHz Linux (windows for Z3)

28

Experiment-1

TO 60.3 7 3 33 8.0 3.6 3.3 TO 4 2 34 D:f4,f6(c5) TO 60.6 7 3 33 13.2 14.3 10.7 TO 6 2 34 D:f4,f6(c4) TO 61.9 7 3 33 9.2 3.6 3.3 TO 4 2 34 D:f4,f6(c4) TO 50.9 7 3 33 21.4 13.9 10.1 TO 6 2 34 D:f4,f6(c3) TO 169.0 10 3 33 154.0 118.4 86.3 TO 10 2 34 D:f4,f6(c2) TO 68.9 8 3 33 47.5 43.3 19.2 TO 8 2 34 D:f4,f6(c1) 328 297.1 7 6 58 560.8 121.8 104.3 TO 4 5 59 D:f1,f4,f5 TO TO

• 6

48 58.2 32.9 16.0 TO 2 4 50 D:f2,f3 1 0.8 2 2 20 9.5 3.7 3.1 TO 2 2 20 S:f1 195 3.6 4 2 18 1.6 0.5 0.7 TO 2 1 19 S:f2 38 123.0 4 5 47 286.2 10.8 10.9 TO 2 3 49 S:f1,f3 175 10.1 4 3 37 54.5 1.4 2.1 TO 2 2 38 S:f1,f2 1 528.1 4 6 46 58.4 3.8 4.1 TO 2 2 50 S:f2,f3 X:L Y:L #I ny nx X:L Y:L X:L Y:L X:E Y:L X:L Y:E #I ny nx NLC-LL BRD-LL LBR-LL LBR-EL LBR-LE Z3 No LC With linearization criteria (LC) DP

Number of Y variables

Time Limit: 600s (1000s for Z3) Platform: 3.4GHz Linux (windows for Z3)

29

Experiment-1

TO 60.3 7 3 33 8.0 3.6 3.3 TO 4 2 34 D:f4,f6(c5) TO 60.6 7 3 33 13.2 14.3 10.7 TO 6 2 34 D:f4,f6(c4) TO 61.9 7 3 33 9.2 3.6 3.3 TO 4 2 34 D:f4,f6(c4) TO 50.9 7 3 33 21.4 13.9 10.1 TO 6 2 34 D:f4,f6(c3) TO 169.0 10 3 33 154.0 118.4 86.3 TO 10 2 34 D:f4,f6(c2) TO 68.9 8 3 33 47.5 43.3 19.2 TO 8 2 34 D:f4,f6(c1) 328 297.1 7 6 58 560.8 121.8 104.3 TO 4 5 59 D:f1,f4,f5 TO TO

• 6

48 58.2 32.9 16.0 TO 2 4 50 D:f2,f3 1 0.8 2 2 20 9.5 3.7 3.1 TO 2 2 20 S:f1 195 3.6 4 2 18 1.6 0.5 0.7 TO 2 1 19 S:f2 38 123.0 4 5 47 286.2 10.8 10.9 TO 2 3 49 S:f1,f3 175 10.1 4 3 37 54.5 1.4 2.1 TO 2 2 38 S:f1,f2 1 528.1 4 6 46 58.4 3.8 4.1 TO 2 2 50 S:f2,f3 X:L Y:L #I ny nx X:L Y:L X:L Y:L X:E Y:L X:L Y:E #I ny nx NLC-LL BRD-LL LBR-LL LBR-EL LBR-LE Z3 No LC With linearization criteria (LC) DP

Number of Relaxations

Time Limit: 600s (1000s for Z3) Platform: 3.4GHz Linux (windows for Z3)

30

Experiment-1

TO 60.3 7 3 33 8.0 3.6 3.3 TO 4 2 34 D:f4,f6(c5) TO 60.6 7 3 33 13.2 14.3 10.7 TO 6 2 34 D:f4,f6(c4) TO 61.9 7 3 33 9.2 3.6 3.3 TO 4 2 34 D:f4,f6(c4) TO 50.9 7 3 33 21.4 13.9 10.1 TO 6 2 34 D:f4,f6(c3) TO 169.0 10 3 33 154.0 118.4 86.3 TO 10 2 34 D:f4,f6(c2) TO 68.9 8 3 33 47.5 43.3 19.2 TO 8 2 34 D:f4,f6(c1) 328 297.1 7 6 58 560.8 121.8 104.3 TO 4 5 59 D:f1,f4,f5 TO TO

• 6

48 58.2 32.9 16.0 TO 2 4 50 D:f2,f3 1 0.8 2 2 20 9.5 3.7 3.1 TO 2 2 20 S:f1 195 3.6 4 2 18 1.6 0.5 0.7 TO 2 1 19 S:f2 38 123.0 4 5 47 286.2 10.8 10.9 TO 2 3 49 S:f1,f3 175 10.1 4 3 37 54.5 1.4 2.1 TO 2 2 38 S:f1,f2 1 528.1 4 6 46 58.4 3.8 4.1 TO 2 2 50 S:f2,f3 X:L Y:L #I ny nx X:L Y:L X:L Y:L X:E Y:L X:L Y:E #I ny nx NLC-LL BRD-LL LBR-LL LBR-EL LBR-LE Z3 No LC With linearization criteria (LC) DP

Solve Time

Time Limit: 600s (1000s for Z3) Platform: 3.4GHz Linux (windows for Z3)

31

Experiment-1

TO 60.3 7 3 33 8.0 3.6 3.3 TO 4 2 34 D:f4,f6(c5) TO 60.6 7 3 33 13.2 14.3 10.7 TO 6 2 34 D:f4,f6(c4) TO 61.9 7 3 33 9.2 3.6 3.3 TO 4 2 34 D:f4,f6(c4) TO 50.9 7 3 33 21.4 13.9 10.1 TO 6 2 34 D:f4,f6(c3) TO 169.0 10 3 33 154.0 118.4 86.3 TO 10 2 34 D:f4,f6(c2) TO 68.9 8 3 33 47.5 43.3 19.2 TO 8 2 34 D:f4,f6(c1) 328 297.1 7 6 58 560.8 121.8 104.3 TO 4 5 59 D:f1,f4,f5 TO TO

• 6

48 58.2 32.9 16.0 TO 2 4 50 D:f2,f3 1 0.8 2 2 20 9.5 3.7 3.1 TO 2 2 20 S:f1 195 3.6 4 2 18 1.6 0.5 0.7 TO 2 1 19 S:f2 38 123.0 4 5 47 286.2 10.8 10.9 TO 2 3 49 S:f1,f3 175 10.1 4 3 37 54.5 1.4 2.1 TO 2 2 38 S:f1,f2 1 528.1 4 6 46 58.4 3.8 4.1 TO 2 2 50 S:f2,f3 X:L Y:L #I ny nx X:L Y:L X:L Y:L X:E Y:L X:L Y:E #I ny nx NLC-LL BRD-LL LBR-LL LBR-EL LBR-LE Z3 No LC With linearization criteria (LC) DP

Solve Time

Time Limit: 600s (1000s for Z3) Platform: 3.4GHz Linux (windows for Z3)

32

Experiment-1

TO 60.3 7 3 33 8.0 3.6 3.3 TO 4 2 34 D:f4,f6(c5) TO 60.6 7 3 33 13.2 14.3 10.7 TO 6 2 34 D:f4,f6(c4) TO 61.9 7 3 33 9.2 3.6 3.3 TO 4 2 34 D:f4,f6(c4) TO 50.9 7 3 33 21.4 13.9 10.1 TO 6 2 34 D:f4,f6(c3) TO 169.0 10 3 33 154.0 118.4 86.3 TO 10 2 34 D:f4,f6(c2) TO 68.9 8 3 33 47.5 43.3 19.2 TO 8 2 34 D:f4,f6(c1) 328 297.1 7 6 58 560.8 121.8 104.3 TO 4 5 59 D:f1,f4,f5 TO TO

• 6

48 58.2 32.9 16.0 TO 2 4 50 D:f2,f3 1 0.8 2 2 20 9.5 3.7 3.1 TO 2 2 20 S:f1 195 3.6 4 2 18 1.6 0.5 0.7 TO 2 1 19 S:f2 38 123.0 4 5 47 286.2 10.8 10.9 TO 2 3 49 S:f1,f3 175 10.1 4 3 37 54.5 1.4 2.1 TO 2 2 38 S:f1,f2 1 528.1 4 6 46 58.4 3.8 4.1 TO 2 2 50 S:f2,f3 X:L Y:L #I ny nx X:L Y:L X:L Y:L X:E Y:L X:L Y:E #I ny nx NLC-LL BRD-LL LBR-LL LBR-EL LBR-LE Z3 No LC With linearization criteria (LC) DP

Solve Time

Time Limit: 600s (1000s for Z3) Platform: 3.4GHz Linux (windows for Z3)

33

Experiment-1

TO 60.3 7 3 33 8.0 3.6 3.3 TO 4 2 34 D:f4,f6(c5) TO 60.6 7 3 33 13.2 14.3 10.7 TO 6 2 34 D:f4,f6(c4) TO 61.9 7 3 33 9.2 3.6 3.3 TO 4 2 34 D:f4,f6(c4) TO 50.9 7 3 33 21.4 13.9 10.1 TO 6 2 34 D:f4,f6(c3) TO 169.0 10 3 33 154.0 118.4 86.3 TO 10 2 34 D:f4,f6(c2) TO 68.9 8 3 33 47.5 43.3 19.2 TO 8 2 34 D:f4,f6(c1) 328 297.1 7 6 58 560.8 121.8 104.3 TO 4 5 59 D:f1,f4,f5 TO TO

• 6

48 58.2 32.9 16.0 TO 2 4 50 D:f2,f3 1 0.8 2 2 20 9.5 3.7 3.1 TO 2 2 20 S:f1 195 3.6 4 2 18 1.6 0.5 0.7 TO 2 1 19 S:f2 38 123.0 4 5 47 286.2 10.8 10.9 TO 2 3 49 S:f1,f3 175 10.1 4 3 37 54.5 1.4 2.1 TO 2 2 38 S:f1,f2 1 528.1 4 6 46 58.4 3.8 4.1 TO 2 2 50 S:f2,f3 X:L Y:L #I ny nx X:L Y:L X:L Y:L X:E Y:L X:L Y:E #I ny nx NLC-LL BRD-LL LBR-LL LBR-EL LBR-LE Z3 No LC With linearization criteria (LC) DP

Solve Time

Time Limit: 600s (1000s for Z3) Platform: 3.4GHz Linux (windows for Z3)

34

Experiment-2 (SMT-based BMC)

TO 27.1 21.0 13.8 20.4 10 L-91-78 TO 56.2 37.5 35.6 70.6 8 L-273-260 TO 9.8 10.5 7.7 15.4 4 L-21-14 TO 333.8 137.7 51.0 123.9 2 L-1891-1830 20 2.8 2.9 3.4 2.6 2 G-91-13 77 9.1 3.6 19.6 54.6 2 G-7747-127 26 2.9 2.4 3.0 5.1 2 G-273-13 7 2.4 0.8 1.4 1.1 2 G-21-3 497 4.6 12.1 11.4 27.9 2 G-1891-61 X:L Y:L X:L Y:L X:E Y:L X:L Y:E #R Z3 BRD-LL LBR-LL LBR-EL LBR-LE Ex

Time Limit: 600s (1000s for Z3) Platform: 3.4GHz Linux (windows for Z3)

35 Time Limit: 600s (1000s for Z3) Platform: 3.4GHz Linux (windows for Z3)

Experiment-2

TO 27.1 21.0 13.8 20.4 10 L-91-78 TO 56.2 37.5 35.6 70.6 8 L-273-260 TO 9.8 10.5 7.7 15.4 4 L-21-14 TO 333.8 137.7 51.0 123.9 2 L-1891-1830 20 2.8 2.9 3.4 2.6 2 G-91-13 77 9.1 3.6 19.6 54.6 2 G-7747-127 26 2.9 2.4 3.0 5.1 2 G-273-13 7 2.4 0.8 1.4 1.1 2 G-21-3 497 4.6 12.1 11.4 27.9 2 G-1891-61 X:L Y:L X:L Y:L X:E Y:L X:L Y:E #R Z3 BRD-LL LBR-LL LBR-EL LBR-LE Ex /* Parameters p1-p2*/ void gcd-p1-p2(int x, int y) { int g; int count=1; g = gcd(x,y); if (x + y == p1 && g == p2) count -= 1; assert( count); } int gcd(a,b) { while (b!=0) { int t = b; b = a % b; a = t; } return a; }

36 Time Limit: 600s (1000s for Z3) Platform: 3.4GHz Linux (windows for Z3)

Experiment-2

TO 27.1 21.0 13.8 20.4 10 L-91-78 TO 56.2 37.5 35.6 70.6 8 L-273-260 TO 9.8 10.5 7.7 15.4 4 L-21-14 TO 333.8 137.7 51.0 123.9 2 L-1891-1830 20 2.8 2.9 3.4 2.6 2 G-91-13 77 9.1 3.6 19.6 54.6 2 G-7747-127 26 2.9 2.4 3.0 5.1 2 G-273-13 7 2.4 0.8 1.4 1.1 2 G-21-3 497 4.6 12.1 11.4 27.9 2 G-1891-61 X:L Y:L X:L Y:L X:E Y:L X:L Y:E #R Z3 BRD-LL LBR-LL LBR-EL LBR-LE Ex /* Parameters p3-p4*/ void lcm-p3-p4(int x, int y) { int g,l; int count=1; g = gcd(x,y); l = (x * y)/g; //LCM if (x+y == p3 && l == p4) count -= 1; assert( count); } int gcd(a,b) { while (b!=0) { int t = b; b = a % b; a = t; } return a; }

37

Experiment-2

TO 27.1 21.0 13.8 20.4 10 L-91-78 TO 56.2 37.5 35.6 70.6 8 L-273-260 TO 9.8 10.5 7.7 15.4 4 L-21-14 TO 333.8 137.7 51.0 123.9 2 L-1891-1830 20 2.8 2.9 3.4 2.6 2 G-91-13 77 9.1 3.6 19.6 54.6 2 G-7747-127 26 2.9 2.4 3.0 5.1 2 G-273-13 7 2.4 0.8 1.4 1.1 2 G-21-3 497 4.6 12.1 11.4 27.9 2 G-1891-61 X:L Y:L X:L Y:L X:E Y:L X:L Y:E #R Z3 BRD-LL LBR-LL LBR-EL LBR-LE Ex

Solve Time

Time Limit: 600s (1000s for Z3) Platform: 3.4GHz Linux (windows for Z3)

38

Experiment-2

TO 27.1 21.0 13.8 20.4 10 L-91-78 TO 56.2 37.5 35.6 70.6 8 L-273-260 TO 9.8 10.5 7.7 15.4 4 L-21-14 TO 333.8 137.7 51.0 123.9 2 L-1891-1830 20 2.8 2.9 3.4 2.6 2 G-91-13 77 9.1 3.6 19.6 54.6 2 G-7747-127 26 2.9 2.4 3.0 5.1 2 G-273-13 7 2.4 0.8 1.4 1.1 2 G-21-3 497 4.6 12.1 11.4 27.9 2 G-1891-61 X:L Y:L X:L Y:L X:E Y:L X:L Y:E #R Z3 BRD-LL LBR-LL LBR-EL LBR-LE Ex

Solve Time

Time Limit: 600s (1000s for Z3) Platform: 3.4GHz Linux (windows for Z3)

39

Experiment-2

TO 27.1 21.0 13.8 20.4 10 L-91-78 TO 56.2 37.5 35.6 70.6 8 L-273-260 TO 9.8 10.5 7.7 15.4 4 L-21-14 TO 333.8 137.7 51.0 123.9 2 L-1891-1830 20 2.8 2.9 3.4 2.6 2 G-91-13 77 9.1 3.6 19.6 54.6 2 G-7747-127 26 2.9 2.4 3.0 5.1 2 G-273-13 7 2.4 0.8 1.4 1.1 2 G-21-3 497 4.6 12.1 11.4 27.9 2 G-1891-61 X:L Y:L X:L Y:L X:E Y:L X:L Y:E #R Z3 BRD-LL LBR-LL LBR-EL LBR-LE Ex

Solve Time

Time Limit: 600s (1000s for Z3) Platform: 3.4GHz Linux (windows for Z3)

40

Experiment-3 (SMT-based BMC)

1.6 24.5 981.2 45.7 772.2 6.6 30.3 TLW 161 532 173 386 234 399 241 DTO 1 2 1 2 40 #W 161 119 29 8 12 24 138 DTO 184.1 831.1

• 67.3

143.6 69.0 TLW LBR-LE X:L, Y:E 161 467 181 363 232 303 138 DTO 4.2 31.5 878.9 51.8 962.1 5.1 69.8 TLW LBR-EL X:E, Y:L 1 3 17 10 22 7 40 #W 1 1 161 1.2 B7(1) 3 3 590 5.7 B6(5) 15 18 184 946.6 B5(57) 10 10 530 26.1 B4(14) 22 23 261 821.6 B3(33) 7 7 436 7.2 B2(12) 40 40 241 30.3 B1(88) #W #W DTO TLW BRD X:L, Y:L LBR-LL X:L, Y:L Ex(#prp)

Time Limit: 1000s Platform: 3.4GHz Linux

41

Experiment-3

1.6 24.5 981.2 45.7 772.2 6.6 30.3 TLW 161 532 173 386 234 399 241 DTO 1 2 1 2 40 #W 161 119 29 8 12 24 138 DTO 184.1 831.1

• 67.3

143.6 69.0 TLW LBR-LE X:L, Y:E 161 467 181 363 232 303 138 DTO 4.2 31.5 878.9 51.8 962.1 5.1 69.8 TLW LBR-EL X:E, Y:L 1 3 17 10 22 7 40 #W 1 1 161 1.2 B7(1) 3 3 590 5.7 B6(5) 15 18 184 946.6 B5(57) 10 10 530 26.1 B4(14) 22 23 261 821.6 B3(33) 7 7 436 7.2 B2(12) 40 40 241 30.3 B1(88) #W #W DTO TLW BRD X:L, Y:L LBR-LL X:L, Y:L Ex(#prp)

• C programs (industry+public domain)
• linux drivers, network app, embed soft.
• predominately linear operators with

sporadic non-linear operators: /,%,&

• Properties
• array-bound-violations, assertions

Time Limit: 1000s Platform: 3.4GHz Linux

42

Experiment-3

1.6 24.5 981.2 45.7 772.2 6.6 30.3 TLW 161 532 173 386 234 399 241 DTO 1 2 1 2 40 #W 161 119 29 8 12 24 138 DTO 184.1 831.1

• 67.3

143.6 69.0 TLW LBR-LE X:L, Y:E 161 467 181 363 232 303 138 DTO 4.2 31.5 878.9 51.8 962.1 5.1 69.8 TLW LBR-EL X:E, Y:L 1 3 17 10 22 7 40 #W 1 1 161 1.2 B7(1) 3 3 590 5.7 B6(5) 15 18 184 946.6 B5(57) 10 10 530 26.1 B4(14) 22 23 261 821.6 B3(33) 7 7 436 7.2 B2(12) 40 40 241 30.3 B1(88) #W #W DTO TLW BRD X:L, Y:L LBR-LL X:L, Y:L Ex(#prp)

Number of witnesses found

Time Limit: 1000s Platform: 3.4GHz Linux

43

Experiment-3

1.6 24.5 981.2 45.7 772.2 6.6 30.3 TLW 161 532 173 386 234 399 241 DTO 1 2 1 2 40 #W 161 119 29 8 12 24 138 DTO 184.1 831.1

• 67.3

143.6 69.0 TLW LBR-LE X:L, Y:E 161 467 181 363 232 303 138 DTO 4.2 31.5 878.9 51.8 962.1 5.1 69.8 TLW LBR-EL X:E, Y:L 1 3 17 10 22 7 40 #W 1 1 161 1.2 B7(1) 3 3 590 5.7 B6(5) 15 18 184 946.6 B5(57) 10 10 530 26.1 B4(14) 22 23 261 821.6 B3(33) 7 7 436 7.2 B2(12) 40 40 241 30.3 B1(88) #W #W DTO TLW BRD X:L, Y:L LBR-LL X:L, Y:L Ex(#prp)

Time to find last witness

Time Limit: 1000s Platform: 3.4GHz Linux

44

Summary/Conclusions

• Efficient decision procedure for non-linear theory for bounded

integers

– Improved bit-wise decomposition

• pre-computed learning providing guidance to SMT solver
• compared BSD v/s BRD

– Improved linearization

• linearization criteria: reduces number of refinement steps
• compared LC v/s NLC

– Lazy-bounding and refinement algorithm

• Incremental formulation, exploits incremental capability of SMT(LIA) solvers
• Avoids re-encoding, thereby, improves performances overall
• compared LBR-LL, LBR-LE, LBR-EL, Z3
• Effective for verification of application programs

– Overflow and underflow not used as programming feature – Non-linear terms used sporadically, Boolean and linear terms mostly – SMT(BV) solver may be overkill for such applications

45

Questions