12 research outputs found
Improving Strategies via SMT Solving
We consider the problem of computing numerical invariants of programs by
abstract interpretation. Our method eschews two traditional sources of
imprecision: (i) the use of widening operators for enforcing convergence within
a finite number of iterations (ii) the use of merge operations (often, convex
hulls) at the merge points of the control flow graph. It instead computes the
least inductive invariant expressible in the domain at a restricted set of
program points, and analyzes the rest of the code en bloc. We emphasize that we
compute this inductive invariant precisely. For that we extend the strategy
improvement algorithm of [Gawlitza and Seidl, 2007]. If we applied their method
directly, we would have to solve an exponentially sized system of abstract
semantic equations, resulting in memory exhaustion. Instead, we keep the system
implicit and discover strategy improvements using SAT modulo real linear
arithmetic (SMT). For evaluating strategies we use linear programming. Our
algorithm has low polynomial space complexity and performs for contrived
examples in the worst case exponentially many strategy improvement steps; this
is unsurprising, since we show that the associated abstract reachability
problem is Pi-p-2-complete
A minimalistic look at widening operators
We consider the problem of formalizing the familiar notion of widening in
abstract interpretation in higher-order logic. It turns out that many axioms of
widening (e.g. widening sequences are ascending) are not useful for proving
correctness. After keeping only useful axioms, we give an equivalent
characterization of widening as a lazily constructed well-founded tree. In type
systems supporting dependent products and sums, this tree can be made to
reflect the condition of correct termination of the widening sequence
A Sums-of-Squares Extension of Policy Iterations
In order to address the imprecision often introduced by widening operators in
static analysis, policy iteration based on min-computations amounts to
considering the characterization of reachable value set of a program as an
iterative computation of policies, starting from a post-fixpoint. Computing
each policy and the associated invariant relies on a sequence of numerical
optimizations. While the early research efforts relied on linear programming
(LP) to address linear properties of linear programs, the current state of the
art is still limited to the analysis of linear programs with at most quadratic
invariants, relying on semidefinite programming (SDP) solvers to compute
policies, and LP solvers to refine invariants.
We propose here to extend the class of programs considered through the use of
Sums-of-Squares (SOS) based optimization. Our approach enables the precise
analysis of switched systems with polynomial updates and guards. The analysis
presented has been implemented in Matlab and applied on existing programs
coming from the system control literature, improving both the range of
analyzable systems and the precision of previously handled ones.Comment: 29 pages, 4 figure
Stability and convergence in discrete convex monotone dynamical systems
We study the stable behaviour of discrete dynamical systems where the map is
convex and monotone with respect to the standard positive cone. The notion of
tangential stability for fixed points and periodic points is introduced, which
is weaker than Lyapunov stability. Among others we show that the set of
tangentially stable fixed points is isomorphic to a convex inf-semilattice, and
a criterion is given for the existence of a unique tangentially stable fixed
point. We also show that periods of tangentially stable periodic points are
orders of permutations on letters, where is the dimension of the
underlying space, and a sufficient condition for global convergence to periodic
orbits is presented.Comment: 36 pages, 1 fugur
Computing the smallest fixed point of order-preserving nonexpansive mappings arising in positive stochastic games and static analysis of programs
The problem of computing the smallest fixed point of an order-preserving map
arises in the study of zero-sum positive stochastic games. It also arises in
static analysis of programs by abstract interpretation. In this context, the
discount rate may be negative. We characterize the minimality of a fixed point
in terms of the nonlinear spectral radius of a certain semidifferential. We
apply this characterization to design a policy iteration algorithm, which
applies to the case of finite state and action spaces. The algorithm returns a
locally minimal fixed point, which turns out to be globally minimal when the
discount rate is nonnegative.Comment: 26 pages, 3 figures. We add new results, improvements and two
examples of positive stochastic games. Note that an initial version of the
paper has appeared in the proceedings of the Eighteenth International
Symposium on Mathematical Theory of Networks and Systems (MTNS2008),
Blacksburg, Virginia, July 200
Invariant Generation through Strategy Iteration in Succinctly Represented Control Flow Graphs
We consider the problem of computing numerical invariants of programs, for
instance bounds on the values of numerical program variables. More
specifically, we study the problem of performing static analysis by abstract
interpretation using template linear constraint domains. Such invariants can be
obtained by Kleene iterations that are, in order to guarantee termination,
accelerated by widening operators. In many cases, however, applying this form
of extrapolation leads to invariants that are weaker than the strongest
inductive invariant that can be expressed within the abstract domain in use.
Another well-known source of imprecision of traditional abstract interpretation
techniques stems from their use of join operators at merge nodes in the control
flow graph. The mentioned weaknesses may prevent these methods from proving
safety properties. The technique we develop in this article addresses both of
these issues: contrary to Kleene iterations accelerated by widening operators,
it is guaranteed to yield the strongest inductive invariant that can be
expressed within the template linear constraint domain in use. It also eschews
join operators by distinguishing all paths of loop-free code segments. Formally
speaking, our technique computes the least fixpoint within a given template
linear constraint domain of a transition relation that is succinctly expressed
as an existentially quantified linear real arithmetic formula. In contrast to
previously published techniques that rely on quantifier elimination, our
algorithm is proved to have optimal complexity: we prove that the decision
problem associated with our fixpoint problem is in the second level of the
polynomial-time hierarchy.Comment: 35 pages, conference version published at ESOP 2011, this version is
a CoRR version of our submission to Logical Methods in Computer Scienc
Automatic modular abstractions for template numerical constraints
We propose a method for automatically generating abstract transformers for
static analysis by abstract interpretation. The method focuses on linear
constraints on programs operating on rational, real or floating-point variables
and containing linear assignments and tests. In addition to loop-free code, the
same method also applies for obtaining least fixed points as functions of the
precondition, which permits the analysis of loops and recursive functions. Our
algorithms are based on new quantifier elimination and symbolic manipulation
techniques. Given the specification of an abstract domain, and a program block,
our method automatically outputs an implementation of the corresponding
abstract transformer. It is thus a form of program transformation. The
motivation of our work is data-flow synchronous programming languages, used for
building control-command embedded systems, but it also applies to imperative
and functional programming