Combining Widening and Acceleration in Linear Relation Analysis

Linear Relation Analysis [CH78,Hal79] is one of the first, but still one of the most powerful, abstract interpretations working in an infinite lattice. As such, it makes use of a widening operator to enforce the convergence of fixpoint computations. While the approximation due to widening can be arbitrarily refined by delaying the application of widening, the analysis quickly becomes too expensive with the increase of delay. Previous attempts at improving the precision of widening are not completely satisfactory, since none of them is guaranteed to improve the precision of the result, and they can nevertheless increase the cost of the analysis. In this paper, we investigate an improvement of Linear Relation Analysis consisting in computing, when possible, the exact (abstract) effect of a loop. This technique is fully compatible with the use of widening, and whenever it applies, it improves both the precision and the performance of the analysis. Linear Relation Analysis [CH78,Hal79] (LRA) is one of the very first applications of abstract interpretation [CC77], and aims at computing an upper approximation of the reachable states of a numerical program, as a convex polyhedron (or a set of such polyhedra). It was applied in various domains like compiletime error detection [DRS01], program parallelization [IJT91], automatic verification [HPR97,HHWT97] and formal proof [BBC00,BBM97]. Like any approximate verification method, LRA is faced with the compromise between precision and cost. Since its relatively high cost restricts its applicability, any situation where the precision can be improved at low cost must be exploited. One source of approximation in LRA is widening, the operator that ensures the termination of iterative computations, by extrapolating an upper approximation of their limit. When the approximation due to widening is the cause of the lack of precision of the result of an analysis, a possible way to improve the precision is to delay widening: instead of applying it at each iteration, one can start with a number of steps without widening, thus providing a more precise basis for subsequent extrapolations. Now, delaying widening is generally very expensive: ? This work has been partially supported by the APRON project of the “ACI Sécurité Informatique” of the French Ministry of Research ?? email: {Laure.Gonnord,Nicolas.Halbwachs}@imag.fr ? ? ? Verimag is a joint laboratory of Université Joseph Fourier, CNRS and INPG associated with IMAG. in ria -0 05 23 32 5, v er si on 1 4 O ct 2 01 0 Author manuscript, published in "Static Analysis Symposium (2006)" Published in Static Analysis Symposiu m, Springer Verlag, LNCS 4134. not only does it increase the number of iterations, but, more importantly, it leads to the construction of much more complex polyhedra (that would be simplified otherwise thanks to widening). So, if we can find some cheap ways to improve the precision of widening, we may not only improve the overall precision, but also avoid the cost of delaying widening. The next question then is “what is a better widening?”. The fact that one single application of a widening operator gives smaller results [BHRZ03] does not necessarily mean that its repeated application will involve a convergence towards a more precise limit (an example can been seen in [SSM04]). Moreover, the use of such a widening is likely to slow down the convergence, by increasing the number of necessary iterations. These remarks led us to look at situations where the widening can obviously be improved — in the sense that a faster convergence towards a better limit can be archived — at low cost with respect to the cost of usual polyhedra operators. For that, a source of inspiration are the so-called “acceleration techniques” proposed by several authors [BW94,WB98,CJ98,FS00,BFLP03]. These works consist in identifying categories of loops whose effect can be computed exactly. Roughly speaking, the effect of a simple loop, guarded by a linear condition on integer variables, and consisting of incrementations/decrementations of these variables can be computed exactly as a Presburger formula. These methods have the advantage of giving exact results. Now, because they are exact, they are restricted to some classes of programs (e.g., “flat counter automata”, i.e., without nested loops). Moreover, the exact computation with integer variables has a very high complexity (generally double-exp). So the applicability of these methods is somewhat limited. In this paper, we investigate the use of acceleration methods in LRA, in complement to widening . Of course, when the effect of a loop can be computed exactly (and at low cost) there is no need to approximate it. Now, since we want to integrate these results in LRA, only the exact abstract effect of the loop is necessary, that is the convex hull of the reachable states during or after the loop. This means that we won’t use expensive computations in Presburger arithmetic. Moreover, we only look for an improvement of standard LRA: wherever an acceleration is possible, its application will improve the results, but the resulting method will not be restricted to those programs where acceleration applies everywhere. To illustrate our goal better, let us consider a very simple example, the classical “leaking gas burner” [CHR91]: one wants to model and analyze the assumption that, whenever the “gas burner” leaks, the leakage is fixed within 10 seconds, and that the minimum interval between two leakages is 50 seconds. The standard modelling of this system is by a linear hybrid automaton [ACH95,HHWT97] (see Fig. 1). The linear relation analysis of this hybrid automaton proceeds as follows (the successive results are projected onto the variables t and `, which represent, respectively, the global time elapsed and the global leaking time, the variable u being a local variable used to count the time elapsed in each location): L. Gonnord and N. Halbwachs, SAS 2006, copyright Springer-Verlag 2 Page 2 in ria -0 05 23 32 5, v er si on 1 4 O ct 2 01 0 Published in Static Analysis Symposiu m, Springer Verlag, LNCS 4134. ṫ = 1 ̇̀ = 1 u̇ = 1 u ≤ 10 u := 0 u ≥ 50 u := 0 u := 0 ` := 0 t := 0 leaking u̇ = 1 ̇̀ = 0 ṫ = 1 not leaking Fig. 1. Hybrid automaton of the gas burner