Convex polyhedral abstractions, specialisation and property-based predicate splitting in Horn clause verification

We present an approach to constrained Horn clause (CHC) verification combining three techniques: abstract interpretation over a domain of convex polyhedra, specialisation of the constraints in CHCs using abstract interpretation of query-answer transformed clauses, and refinement by splitting predicates. The purpose of the work is to investigate how analysis and transformation tools developed for constraint logic programs (CLP) can be applied to the Horn clause verification problem. Abstract interpretation over convex polyhedra is capable of deriving sophisticated invariants and when used in conjunction with specialisation for propagating constraints it can frequently solve challenging verification problems. This is a contribution in itself, but refinement is needed when it fails, and the question of how to refine convex polyhedral analyses has not been studied much. We present a refinement technique based on interpolants derived from a counterexample trace; these are used to drive a property-based specialisation that splits predicates, leading in turn to more precise convex polyhedral analyses. The process of specialisation, analysis and splitting can be repeated, in a manner similar to the CEGAR and iterative specialisation approaches.Comment: In Proceedings HCVS 2014, arXiv:1412.082

Widening with Thresholds for Programs with Complex Control Graphs

The precision of an analysis based on abstract interpretation does not only depend on the expressiveness of the abstract domain, but also on the way fixpoint equations are solved: exact solving is often not possible. The traditional solution is to solve iteratively abstract fixpoint equations, using extrapolation with a widening operator to make the iterations converge. Unfortunately, the extrapolation too often loses crucial information for the analysis goal. A classical technique for improving the precision is ''widening with thresholds'', which bounds the extrapolation. Its benefit strongly depends on the choice of relevant thresholds. In this paper we propose a semantic-based technique for automatically inferring such thresholds, which applies to any control graph, be it intraprocedural, interprocedural or concurrent, without specific assumptions on the abstract domain. Despite its technical simplicity, our technique is able to infer the relevant thresholds in many practical cases.La précision d'une analyse fondée sur l'interprétation abstraite dépend no seulement de l'expressivité du domaine abstrait, mais aussi de la façon dont les équations abstraites sont résolues: la solution optimale n'est en effet pas toujors calculable. La technique traditionnelle est de résoudre itérativement les équations de point-fixe abstraites, en effectuant des extrapolations à l'aide d'un opérateur d'élargissement pour faire converger les itérations. Malheureusement, ces extrapolations induisent fréquemment la perte d'informations cruciales pour l'objectif de l'analyse. Une technique classique pour améliorer la précision est >, qui borne l'extrapolation. Son efficacité dépend fortement du choix de seuils pertinents. Nous proposons ici une technique de nature sémantique pour inférer automatiquement des seuils pertinents, qui s'applique à n''importe quel graphe de contrôle, qu'il soit intraprocédural, interprocédural ou concurrent, sans hypothèse spécifique sur le domaine abstrait. malgré sa simplicité technique, cette technique infère les seuils pertinents dans beaucoup de cas pratiques

Numerical Abstract Domain using Support Functions

Abstract. In this paper, we present a new abstract domain that uses support functions to represent convex sets. Then, using a predefined set of directions, we can use an efficient method to compute the fixpoint of linear programs. We show on a simple example the efficiency of our method.