Templates and Recurrences: Better Together

This paper is the confluence of two streams of ideas in the literature on generating numerical invariants, namely: (1) template-based methods, and (2) recurrence-based methods. A template-based method begins with a template that contains unknown quantities, and finds invariants that match the template by extracting and solving constraints on the unknowns. A disadvantage of template-based methods is that they require fixing the set of terms that may appear in an invariant in advance. This disadvantage is particularly prominent for non-linear invariant generation, because the user must supply maximum degrees on polynomials, bases for exponents, etc. On the other hand, recurrence-based methods are able to find sophisticated non-linear mathematical relations, including polynomials, exponentials, and logarithms, because such relations arise as the solutions to recurrences. However, a disadvantage of past recurrence-based invariant-generation methods is that they are primarily loop-based analyses: they use recurrences to relate the pre-state and post-state of a loop, so it is not obvious how to apply them to a recursive procedure, especially if the procedure is non-linearly recursive (e.g., a tree-traversal algorithm). In this paper, we combine these two approaches and obtain a technique that uses templates in which the unknowns are functions rather than numbers, and the constraints on the unknowns are recurrences. The technique synthesizes invariants involving polynomials, exponentials, and logarithms, even in the presence of arbitrary control-flow, including any combination of loops, branches, and (possibly non-linear) recursion. For instance, it is able to show that (i) the time taken by merge-sort is $O(n \log(n))$, and (ii) the time taken by Strassen's algorithm is $O(n^{\log_2(7)})$.Comment: 20 pages, 3 figure

Forecasting the Impacts of Silver and Bighead Carp on the Lake Erie Food Web

Nonindigenous bigheaded carps (Bighead Carp Hypophthalmichthys nobilis and Silver Carp H. molitrix; hereafter, “Asian carps” [AC]) threaten to invade and disrupt food webs and fisheries in the Laurentian Great Lakes through their high consumption of plankton. To quantify the potential effects of AC on the food web in Lake Erie, we developed an Ecopath with Ecosim (EwE) food web model and simulated four AC diet composition scenarios (high, low, and no detritus and low detritus with Walleye Sander vitreus and Yellow Perch Perca flavescens larvae) and two nutrient load scenarios (the 1999 baseline load and 2× the baseline [HP]). We quantified the uncertainty of the potential AC effects by coupling the EwE model with estimates of parameter uncertainty in AC production, consumption, and predator diets obtained using structured expert judgment. Our model projected mean ± SD AC equilibrium biomass ranging from 52 ± 34 to 104 ± 75 kg/ha under the different scenarios. Relative to baseline simulations without AC, AC invasion under all detrital diet scenarios decreased the biomass of most fish and zooplankton groups. The effects of AC in the HP scenario were similar to those in the detrital diet scenarios except that the biomasses of most Walleye and Yellow Perch groups were greater under HP because these fishes were buffered from competition with AC by increased productivity at lower trophic levels. Asian carp predation on Walleye and Yellow Perch larvae caused biomass declines among all Walleye and Yellow Perch groups. Large food web impacts of AC occurred in only 2% of the simulations, where AC biomass exceeded 200 kg/ha, resulting in biomass declines of zooplankton and planktivorous fish near the levels observed in the Illinois River. Our findings suggest that AC would affect Lake Erie's food web by competing with other planktivorous fishes and by providing additional prey for piscivores. Our methods provide a novel approach for including uncertainty into forecasts of invasive species' impacts on aquatic food webs. Received December 6, 2014; accepted July 15, 201

Enhancing Algebraic Program Analysis

Many programs have important functional-correctness properties that involve sophisticated mathematical relationships between numerical variables. Additionally, many programs have important numerical properties that characterize their worst-case usage of resources, such as time or memory. This dissertation applies a framework called algebraic program analysis to the problem of proving numerical properties of programs. In this framework, the main steps of the analysis of a program are encapsulated by an algebraic structure (i.e., a carrier set and a collection of operations), and results are obtained by evaluating expressions that are constructed from the operations of that structure. More specifically, this dissertation explores three enhancements of Compositional Recurrence Analysis (CRA), which is an instance of algebraic program analysis in which the loops of a program are analyzed by finding and solving recurrence relations. The first enhancement is an interprocedural version of CRA, which we call ICRA. ICRA applies recurrence-solving in a uniform way to both (i) loops, and (ii) linearly recursive procedures, i.e., procedures that make at most one recursive call along any path through the procedure body. The second enhancement improves ICRA's analysis of non-linear mathematical relationships, allowing it to find invariants that include polynomials, exponentials, and logarithms. One component of this enhancement is a new recurrence solver based on the operational calculus; another component is a new abstract domain called the wedge abstract domain, which provides some support for reasoning about non-linear arithmetic. The third enhancement improves ICRA's ability to analyze non-linearly recursive procedures, such as divide-and-conquer algorithms. This enhancement combines two streams of ideas from the literature on generating numerical invariants, namely: (1) template-based methods, and (2) recurrence-based methods. The new analysis technique uses a new kind of template in which the unknowns are functions, and the analyzer finds and solves recurrence constraints on those unknowns. Experiments show that the enhanced analysis is effective at proving assertions and finding resource-usage bounds. For instance, it is able to show that (i) the time taken by merge-sort is O(n log(n)), and (ii) the time taken by Strassen's algorithm is O(n^log_2(7))

An Algorithm Inspired by Constraint Solvers to Infer Inductive Invariants in Numeric Programs

This paper addresses the problem of proving a given invariance property phi of a loop in a numeric program, by inferring automatically a stronger inductive invariant psi. The algorithm we present is based on both abstract interpretation and constraint solving. As in abstract interpretation, it computes the effect of a loop using a numeric abstract domain. As in constraint satisfaction, it works from ``above'' -- interactively splitting and tightening a collection of abstract elements until an inductive invariant is found. Our experiments show that the algorithm can find non-linear inductive invariants that cannot normally be obtained using intervals (or octagons), even when classic techniques for increasing abstract-interpretation precision are employed -- such as increasing and decreasing iterations with extrapolation, partitioning, and disjunctive completion. The advantage of our work is that because the algorithm uses standard abstract domains, it sidesteps the need to develop complex, non-standard domains specialized for solving a particular problem

Satisfiability Modulo Abstraction for Separation Logic with Linked Lists

Separation logic is an expressive logic for reasoning about heap structures in programs. This paper presents a semi-decision procedure for deciding unsatisfiability of formulas in a fragment of separation logic that includes predicates describing points-to assertions (x |-> y), acyclic-list-segment assertions(ls(x,y)), logical-and, logical-or, separating conjunction, and septraction (the DeMorgan-dual of separating implication). The fragment that we consider allows negation at leaves, and includes formulas that lie outside other separation-logic fragments considered in the literature. The semi-decision procedure is designed using concepts from abstract interpretation. The procedure uses an abstract domain of shape graphs to represent a set of heap structures, and computes an abstraction that over-approximates the set of satisfying models of a given formula. If the over-approximation is empty, then the formula is unsatisfiable. We have implemented the method, and evaluated it on a set of formulas taken from the literature. The implementation is able to establish the unsatisfiability of formulas that cannot be handled by other existing approaches

Compositional Recurrence Analysis Revisited

Compositional recurrence analysis (CRA) is a static-analysis method based on a combination of symbolic analysis and abstract interpretation. This paper addresses the problem of creating a context-sensitive interprocedural version of CRA that handles recursive procedures. The problem is non-trivial because there is an ``impedance mismatch'' between CRA, which relies on analysis techniques based on regular languages (i.e., Tarjan's path-expression method), and the context-free-language underpinnings of context-sensitive analysis. We show how to address this impedance mismatch by augmenting the CRA abstract domain with additional operations. We call the resulting algorithm Interprocedural CRA (ICRA). Our experiments with ICRA show that it has broad overall strength compared with several state-of-the-art software model checkers. The paper is an extended version, with proofs, of a paper with the same title at PLDI 2017