Antoine Miné

DOI: https://doi.org/10.48550/arXiv.cs/0703077

2007-03-15

Programming Languages

Abstract:We present a new idea to adapt relational abstract domains to the analysis of IEEE 754-compliant floating-point numbers in order to statically detect, through abstract Interpretation-based static analyses, potential floating-point run-time exceptions such as overflows or invalid operations. In order to take the non-linearity of rounding into account, expressions are modeled as linear forms with interval coefficients. We show how to extend already existing numerical abstract domains, such as the octagon abstract domain, to efficiently abstract transfer functions based on interval linear forms. We discuss specific fixpoint stabilization techniques and give some experimental results.

Matthieu Lemerre,Sébastien Bardin

DOI: https://doi.org/10.48550/arXiv.1712.10058

2017-12-29

Abstract:The traditional abstract domain framework for imperative programs suffers from several shortcomings; in particular it does not allow precise symbolic abstractions. To solve these problems, we propose a new abstract interpretation framework, based on symbolic expressions used both as an abstraction of the program, and as the input analyzed by abstract domains. We demonstrate new applications of the frame- work: an abstract domain that efficiently propagates constraints across the whole program; a new formalization of functor domains as approximate translation, which allows the production of approximate programs, on which we can perform classical symbolic techniques. We used these to build a complete analyzer for embedded C programs, that demonstrates the practical applicability of the framework.

Software Engineering

Jared Pincus,Eric Koskinen

2024-11-26

Abstract:Commutativity of program code (i.e. the equivalence of two code fragments composed in alternate orders) is of ongoing interest in many settings such as program verification, scalable concurrency, and security analysis. While some have explored static analysis for code commutativity, few have specifically catered to heap-manipulating programs. We introduce an abstract domain in which commutativity synthesis or verification techniques can safely be performed on abstract mathematical models and, from those results, one can directly obtain commutativity conditions for concrete heap programs. This approach offloads challenges of concrete heap reasoning into the simpler abstract space. We show this reasoning supports framing and composition, and conclude with commutativity analysis of programs operating on example heap data structures. Our work has been mechanized in Coq and is available in the supplement.

Programming Languages,Logic in Computer Science

Eden Frenkel,Tej Chajed,Oded Padon,Sharon Shoham

2024-08-19

Abstract:This paper lays a practical foundation for using abstract interpretation with an abstract domain that consists of sets of quantified first-order logic formulas. This abstract domain seems infeasible at first sight due to the complexity of the formulas involved and the enormous size of sets of formulas (abstract elements). We introduce an efficient representation of abstract elements, which eliminates redundancies based on a novel syntactic subsumption relation that under-approximates semantic entailment. We develop algorithms and data structures to efficiently compute the join of an abstract element with the abstraction of a concrete state, operating on the representation of abstract elements. To demonstrate feasibility of the domain, we use our data structures and algorithms to implement a symbolic abstraction algorithm that computes the least fixpoint of the best abstract transformer of a transition system, which corresponds to the strongest inductive invariant. We succeed at finding, for example, the least fixpoint for Paxos (which in our representation has 1,438 formulas with $\forall^*\exists^*\forall^*$ quantification) in time comparable to state-of-the-art property-directed approaches.

Logic in Computer Science

Vincenzo Arceri,Isabella Mastroeni,Enea Zaffanella

DOI: https://doi.org/10.48550/arXiv.2206.10893

2022-06-22

Programming Languages

Abstract:Abstract Interpretation approximates the semantics of a program by mimicking its concrete fixpoint computation on an abstract domain $\mathbb{A}$. The abstract (post-) fixpoint computation is classically divided into two phases: the ascending phase, using widenings as extrapolation operators to enforce termination, is followed by a descending phase, using narrowings as interpolation operators, so as to mitigate the effect of the precision losses introduced by widenings. In this paper we propose a simple variation of this classical approach where, to more effectively recover precision, we decouple the two phases: in particular, before starting the descending phase, we replace the domain $\mathbb{A}$ with a more precise abstract domain $\mathbb{D}$. The correctness of the approach is justified by casting it as an instance of the A$^2$I framework. After demonstrating the new technique on a simple example, we summarize the results of a preliminary experimental evaluation, showing that it is able to obtain significant precision improvements for several choices of the domains $\mathbb{A}$ and $\mathbb{D}$.

David Monniaux

DOI: https://doi.org/10.2168/lmcs-6(3:4)2010

2010-07-20

Logical Methods in Computer Science

Abstract:<p>We propose a method for automatically generating abstract transformers forstatic analysis by abstract interpretation. The method focuses on linearconstraints on programs operating on rational, real or floating-point variablesand containing linear assignments and tests. Given the specification of anabstract domain, and a program block, our method automatically outputs animplementation of the corresponding abstract transformer. It is thus a form ofprogram transformation. In addition to loop-free code, the same method alsoapplies for obtaining least fixed points as functions of the precondition,which permits the analysis of loops and recursive functions. The motivation ofour work is data-flow synchronous programming languages, used for buildingcontrol-command embedded systems, but it also applies to imperative andfunctional programming. Our algorithms are based on quantifier elimination andsymbolic manipulation techniques over linear arithmetic formulas. We also giveless general results for nonlinear constraints and nonlinear programconstructs.</p>

computer science, theory & methods,logic

Sven Apel,Dirk Beyer,Karlheinz Friedberger,Franco Raimondi,Alexander von Rhein

DOI: https://doi.org/10.48550/arXiv.1305.6640

2013-05-29

Abstract:The success of software model checking depends on finding an appropriate abstraction of the subject program. The choice of the abstract domain and the analysis configuration is currently left to the user, who may not be familiar with the tradeoffs and performance details of the available abstract domains. We introduce the concept of domain types, which classify the program variables into types that are more fine-grained than standard declared types, such as int or long, in order to guide the selection of an appropriate abstract domain for a model checker. Our implementation determines the domain type for each variable in a pre-processing step, based on the variable usage in the program, and then assigns each variable to an abstract domain. The model-checking framework that we use supports to specify a separate analysis precision for each abstract domain, such that we can freely configure the analysis. We experimentally demonstrate a significant impact of the choice of the abstract domain per variable. We consider one explicit (hash tables for integer values) and one symbolic (binary decision diagrams) domain. The experiments are based on standard verification tasks that are taken from recent competitions on software verification. Each abstract domain has unique advantages in representing the state space of variables of a certain domain type. Our experiments show that software model checkers can be improved with a domain-type guided combination of abstract domains.

Software Engineering,Programming Languages

Stanley Bak,Taylor Dohmen,K. Subramani,Ashutosh Trivedi,Alvaro Velasquez,Piotr Wojciechowski

DOI: https://doi.org/10.1007/s10703-024-00457-y

2024-06-19

Formal Methods in System Design

Abstract:Efficient verification algorithms for neural networks often depend on various abstract domains such as intervals , zonotopes , and linear star sets . The choice of the abstract domain presents an expressiveness vs. scalability trade-off: simpler domains are less precise but yield faster algorithms. This paper investigates the hexatope and octatope abstract domains in the context of neural net verification. Hexatopes are affine transformations of higher-dimensional hexagons, defined by difference constraint systems, and octatopes are affine transformations of higher-dimensional octagons, defined by unit-two-variable-per-inequality constraint systems. These domains generalize the idea of zonotopes which can be viewed as affine transformations of hypercubes. On the other hand, they can be considered as a restriction of linear star sets, which are affine transformations of arbitrary -Polytopes. This distinction places hexatopes and octatopes firmly between zonotopes and linear star sets in their expressive power, but what about the efficiency of decision procedures? An important analysis problem for neural networks is the exact range computation problem that asks to compute the exact set of possible outputs given a set of possible inputs. For this, three computational procedures are needed: (1) optimization of a linear cost function; (2) affine mapping; and (3) over-approximating the intersection with a half-space. While zonotopes allow an efficient solution for these approaches, star sets solves these procedures via linear programming. We show that these operations are faster for hexatopes and octatopes than they are for the more expressive linear star sets by reducing the linear optimization problem over these domains to the minimum cost network flow, which can be solved in strongly polynomial time using the Out-of-Kilter algorithm. Evaluating exact range computation on several ACAS Xu neural network benchmarks, we find that hexatopes and octatopes show promise as a practical abstract domain for neural network verification.

computer science, theory & methods

Francesco Logozzo,Matthieu Martel

DOI: https://doi.org/10.4204/EPTCS.129.21

2013-09-20

Abstract:We consider the problem of synthesizing provably non-overflowing integer arithmetic expressions or Boolean relations among integer arithmetic expressions. First we use a numerical abstract domain to infer numerical properties among program variables. Then we check if those properties guarantee that a given expression does not overflow. If this is not the case, we synthesize an equivalent, yet not-overflowing expression, or we report that such an expression does not exists. The synthesis of a non-overflowing expression depends on three, orthogonal factors: the input expression (e.g., is it linear, polynomial,... ?), the output expression (e.g., are case splits allowed?), and the underlying numerical abstract domain - the more precise the abstract domain is, the more correct expressions can be synthesized. We consider three common cases: (i) linear expressions with integer coefficients and intervals; (ii) Boolean expressions of linear expressions; and (iii) linear expressions with templates. In the first case we prove there exists a complete and polynomial algorithm to solve the problem. In the second case, we have an incomplete yet polynomial algorithm, whereas in the third we have a complete yet worst-case exponential algorithm.

Programming Languages,Software Engineering

Chong Li,K. F. Ng

DOI: https://doi.org/10.1137/120885176

IF: 2.763

2013-01-01

SIAM Journal on Optimization

Abstract:We consider conic inequality systems of the type$F(x)\ge_K 0$, with approximate solution $x_0$ associated to a parameter $\tau$,where $F$ is a twice Fréchet differentiable function between Hilbert spaces $X$ and $Y$, and$\ge_K$ is the partial order in $Y$ defined by anonempty convex (not necessarily closed) cone $K\subseteq Y$.We prove that, under the suitable conditions,the system $F(x)\ge_K 0$is solvable, and the ratio of the distance from $x_0$ to the solution set $S$ over the distance from $F(x_0)$ to the cone $K$ has anupper bound given explicitlyin terms of $\tau$ and $x_0$. We show that the upper bound is sharp.Applications to analytic function inequality/equality systems on Euclidean spaces are given,and the corresponding results of Dedieu [ SIAM J. Optim. , 11 (2000), pp. 411--425] are extended and significantly improved.

Kenny Ballou,Elena Sherman

DOI: https://doi.org/10.1007/978-3-031-35257-7_13

2023-04-28

Abstract:Verification techniques express program states as logical formulas over program variables. For example, symbolic execution and abstract interpretation encode program states as a set of integer inequalities. However, for real-world programs these formulas tend to become large, which affects scalability of analyses. To address this problem, researchers developed complementary approaches which either remove redundant inequalities or extract a subset of inequalities sufficient for specific reasoning. For arbitrary integer inequalities, such reduction approaches either have high complexities or over-approximate. However, efficiency and precision of these approaches can be improved for a restricted type of logical formulas used in relational numerical abstract domains. While previous work investigated custom efficient redundant inequality elimination for Zones states, our work examines custom semantic slicing algorithms that identify a minimal set of changed inequalities in Zones states. The client application of the minimal changes in Zones is an empirical study on comparison between invariants computed by data-flow analysis using Zones, Intervals and Predicates numerical domains. In particular, evaluations compare how our proposed algorithms affect the precision of comparing Zones vs. Intervals and Zones vs. Predicates abstract domains. The results show our techniques reduce the number of variables by more than 70% and the number of inequalities by 30%, compared to full states. The approach refines the granularity of comparison between domains, reducing incomparable invariants between Zones and Predicates from 52% to 4%, and increases equality of Intervals and Zones, invariants from 27% to 71%. The techniques improve the comparison efficiency by reducing total runtime for all subject comparisons for Zones and Predicates from over 4 minutes to a few seconds.

Logic in Computer Science

Li Bin,Zhai Juan,Tang Zhenhao,Tang Enyi,Zhao Jianhua

DOI: https://doi.org/10.1109/apsec.2017.8

2017-01-01

Abstract:interpretation is capable of inferring a wide variety of quantifier-free program invariants. In this paper, we propose a general framework for building universally quantified abstract domains that leverage existing quantifier-free domains in induction-loop programs. This method is sound and converges in finite time. We instantiate this framework using two quantifier free domains: difference-bound matrices with disequality constraints (dDBM) domain and polynomial equations domain. The experiments on a variety of programs using arrays demonstrate the feasibility of the approach.

Thomas Gawlitza,David Monniaux

DOI: https://doi.org/10.2168/lmcs-8(3:29)2012

2012-09-30

Logical Methods in Computer Science

Abstract:We consider the problem of computing numerical invariants of programs, for instance bounds on the values of numerical program variables. More specifically, we study the problem of performing static analysis by abstract interpretation using template linear constraint domains. Such invariants can be obtained by Kleene iterations that are, in order to guarantee termination, accelerated by widening operators. In many cases, however, applying this form of extrapolation leads to invariants that are weaker than the strongest inductive invariant that can be expressed within the abstract domain in use. Another well-known source of imprecision of traditional abstract interpretation techniques stems from their use of join operators at merge nodes in the control flow graph. The mentioned weaknesses may prevent these methods from proving safety properties. The technique we develop in this article addresses both of these issues: contrary to Kleene iterations accelerated by widening operators, it is guaranteed to yield the strongest inductive invariant that can be expressed within the template linear constraint domain in use. It also eschews join operators by distinguishing all paths of loop-free code segments. Formally speaking, our technique computes the least fixpoint within a given template linear constraint domain of a transition relation that is succinctly expressed as an existentially quantified linear real arithmetic formula. In contrast to previously published techniques that rely on quantifier elimination, our algorithm is proved to have optimal complexity: we prove that the decision problem associated with our fixpoint problem is in the second level of the polynomial-time hierarchy.

computer science, theory & methods,logic

Bertrand Jeannet,Peter Schrammel,Sriram Sankaranarayanan

DOI: https://doi.org/10.1145/2578855.2535843

2014-01-13

ACM SIGPLAN Notices

Abstract:We present abstract acceleration techniques for computing loop invariants for numerical programs with linear assignments and conditionals. Whereas abstract interpretation techniques typically over-approximate the set of reachable states iteratively, abstract acceleration captures the effect of the loop with a single, non-iterative transfer function applied to the initial states at the loop head. In contrast to previous acceleration techniques, our approach applies to any linear loop without restrictions. Its novelty lies in the use of the Jordan normal form decomposition of the loop body to derive symbolic expressions for the entries of the matrix modeling the effect of η ≥ Ο iterations of the loop. The entries of such a matrix depend on η through complex polynomial, exponential and trigonometric functions. Therefore, we introduces an abstract domain for matrices that captures the linear inequality relations between these complex expressions. This results in an abstract matrix for describing the fixpoint semantics of the loop. Our approach integrates smoothly into standard abstract interpreters and can handle programs with nested loops and loops containing conditional branches. We evaluate it over small but complex loops that are commonly found in control software, comparing it with other tools for computing linear loop invariants. The loops in our benchmarks typically exhibit polynomial, exponential and oscillatory behaviors that present challenges to existing approaches. Our approach finds non-trivial invariants to prove useful bounds on the values of variables for such loops, clearly outperforming the existing approaches in terms of precision while exhibiting good performance.

Arjun Pitchanathan,Albert Cohen,Oleksandr Zinenko,Tobias Grosser

2024-07-04

Abstract:A wide range of symbolic analysis and optimization problems can be formalized using polyhedra. Sub-classes of polyhedra, also known as sub-polyhedral domains, are sought for their lower space and time complexity. We introduce the Strided Difference Bound Matrix (SDBM) domain, which represents a sweet spot in the context of optimizing compilers. Its expressiveness and efficient algorithms are particularly well suited to the construction of machine learning compilers. We present decision algorithms, abstract domain operators and computational complexity proofs for SDBM. We also conduct an empirical study with the MLIR compiler framework to validate the domain's practical applicability. We characterize a sub-class of SDBMs that frequently occurs in practice, and demonstrate even faster algorithms on this sub-class.

Symbolic Computation,Programming Languages

David Monniaux,Francesco Alberti

DOI: https://doi.org/10.48550/arXiv.1506.04161

2015-06-12

Programming Languages

Abstract:We present an approach for the static analysis of programs handling arrays, with a Galois connection between the semantics of the array program and semantics of purely scalar operations. The simplest way to implement it is by automatic, syntactic transformation of the array program into a scalar program followed analysis of the scalar program with any static analysis technique (abstract interpretation, acceleration, predicate abstraction,.. .). The scalars invariants thus obtained are translated back onto the original program as universally quantified array invariants. We illustrate our approach on a variety of examples, leading to the " Dutch flag " algorithm.

Christian Bagshaw,Bryce Kerr

2023-04-11

Abstract:In recent decades, the use of ideas from Minkowski's Geometry of Numbers has gained recognition as a helpful tool in bounding the number of solutions to modular congruences with variables from short intervals. In 1941, Mahler introduced an analogue to the Geometry of Numbers in function fields over finite fields. Here, we build on Mahler's ideas and develop results useful for bounding the sizes of intersections of lattices and convex bodies in $\mathbb{F}_q((1/T))^d$, which are more precise than what is known over $\mathbb{R}^d$. These results are then applied to various problems regarding bounding the number of solutions to congruences in $\mathbb{F}_q[T]$, such as the number of points on polynomial curves in low dimensional subspaces of finite fields. Our results improve on a number of previous bounds due to Bagshaw, Cilleruelo, Shparlinski and Zumalacárregui. We also present previous techniques developed by various authors for estimating certain energy/point counts in a unified manner.

Number Theory

Santiago Bautista,Thomas Jensen,Benoît Montagu

DOI: https://doi.org/10.1007/s10703-024-00456-z

2024-06-15

Formal Methods in System Design

Abstract:We define an abstract interpreter for programs manipulating scalars, immutable non-recursive algebraic data types (ADTs), functional arrays and non-recursive functions. We define a first domain that expresses relations between values of ADTs. Our domain extends numeric domains in a generic way, by a disjunctive completion over a reduced product of domains for numeric relations, equalities, and variant constructors. We further extend the segmentation approach for array analysis, in order to allow for values of ADTs inside arrays, and also to capture relations between the content of arrays and the other variables in the program. Our analysis is inter-procedural and modular: it proceeds by computing summaries of the input–output relations of functions, which are then instantiated at call sites. The analysis of ADTs has been implemented in OCaml and tested on a sample of small-to-medium examples, some of which are simplified versions of functions from the formal specification of the seL4 microkernel.

computer science, theory & methods

Nicholas Aidoo

2023-07-31

Abstract:For any given sum of squares domain in $\mathbb{C}^n,$ we reduce the complexity in Catlin's multitype techniques by giving a complete normalization of the geometry. Using this normalization result, we present a more elementary proof of the equality of the Catlin multitype and the commutator multitype for such domains when both invariants are finite. Finally, we reformulate algebraically Catlin's machinery for the commutator multitype computation at the origin for any given sum of squares domain in $\mathbb{C}^n$.

Complex Variables

Shengchao Qin,Guanhua He,Chenguang Luo,Wei-Ngan Chin,Xin Chen

DOI: https://doi.org/10.1016/j.jsc.2012.08.007

IF: 0.97

2013-01-01

Journal of Symbolic Computation

Abstract:Automated verification of memory safety and functional correctness for heap-manipulating programs has been a challenging task, especially when dealing with complex data structures with strong invariants involving both shape and numerical properties. Existing verification systems usually rely on users to supply annotations to guide the verification, which can be cumbersome and error-prone by hand and can significantly restrict the usability of the verification system. In this paper, we reduce the need for some user annotations by automatically inferring loop invariants over an abstract domain with both shape and numerical information. Our loop invariant synthesis is conducted automatically by a fixed-point iteration process, equipped with newly designed abstraction mechanism, together with join and widening operators over the combined domain. We have also proven the soundness and termination of our approach. Initial experiments confirm that we can synthesise loop invariants with non-trivial constraints.