A new abstraction framework for affine transformers

Abstract

This paper addresses the problem of abstracting a set of affine transformers \(\overrightarrow{v}' = \overrightarrow{v} \cdot C + \overrightarrow{d}\), where \(\overrightarrow{v}\) and \(\overrightarrow{v}'\) represent the pre-state and post-state, respectively. We introduce a framework to harness any base abstract domain \(\mathcal {B}\) in an abstract domain of affine transformations. Abstract domains are usually used to define constraints on the variables of a program. In this paper, however, abstract domain \(\mathcal {B}\) is re-purposed to constrain the elements of C and \(\overrightarrow{d}\)—thereby defining a set of affine transformers on program states. This framework facilitates intra- and interprocedural analyses to obtain function and loop summaries, as well as to prove program assertions.

Appendices

Soundness of the abstract-domain operations

In this section, we show that the abstract-domain operations for the \({\text {ATA}}[\mathcal {B}]\) framework are sound with respect to the concrete semantics of the programming language.

Lemma A.1

The bottom element represents the empty set.

$$\begin{aligned} \gamma (\bot ) = \varnothing \end{aligned}$$

(14)

Proof

$$\begin{aligned} \gamma \left( \bot \right)&= \left\{ \left( \overrightarrow{v}, \overrightarrow{v}'\right) : \overrightarrow{v}' = \overrightarrow{v} \cdot C + \overrightarrow{d} \wedge \left( C:\overrightarrow{d}\right) \in \gamma \left( \bot _{\mathcal {B}}\right) \right\} \\&{\Rightarrow }\gamma \left( \bot \right) = \left\{ \left( \overrightarrow{v}, \overrightarrow{v}'\right) : \overrightarrow{v}' = \overrightarrow{v} \cdot C + \overrightarrow{d} \wedge \left( C:\overrightarrow{d}\right) \in \left( \varnothing \right) \right\} \\&{\Rightarrow }\gamma \left( \bot \right) = \varnothing \end{aligned}$$

\(\square \)

Lemma A.2

The equality operation is sound.

$$\begin{aligned} (a_1 \widetilde{==} a_2) {\Rightarrow }(\gamma (a_1) == \gamma (a_2)) \end{aligned}$$

(15)

Proof

We will prove Lemma A.2 by contradiction. Assume that \(a_1 \widetilde{==} a_2\) but \(\gamma (a_1) \ne \gamma (a_2)\). Without loss of generality, we can assume that there exists \((\overrightarrow{v}, \overrightarrow{v}')\) such that:

$$\begin{aligned}&\left( \overrightarrow{v}, \overrightarrow{v}'\right) \in \gamma (a_1) \wedge \left( \overrightarrow{v}, \overrightarrow{v}'\right) \notin \gamma (a_2) \\&\quad {\Rightarrow }\ \overrightarrow{v}' = \overrightarrow{v} \cdot C + \overrightarrow{d} \wedge \left( C:\overrightarrow{d}\right) \in \gamma (base(a_1)) \wedge \left( C:\overrightarrow{d}\right) \notin \gamma (base(a_2)) \\&\quad {\Rightarrow }\ \exists b.\ b\in \gamma (base(a_1)) \wedge b\notin \gamma (base(a_2)) \\&\quad {\Rightarrow }\ \gamma (base(a_1)) \ne \gamma (base(a_2) \\&\quad {\Rightarrow }\ base(a_1) \ne base(a_2) \text { (by soundness of equality on }\mathcal {B}\text {)}\\&\quad {\Rightarrow }\ a_1 \ne a_2 \text { (Contradiction!)} \end{aligned}$$

\(\square \)

Lemma A.3

The join operation is sound.

$$\begin{aligned} \gamma (a_1 \tilde{\sqcup } a_2) \supseteq \gamma (a_1) \cup \gamma (a_2) \end{aligned}$$

(16)

Proof

Assume that Lemma A.3 is incorrect. Then there exists \((\overrightarrow{v}, \overrightarrow{v}')\notin \gamma (a_1 \tilde{\sqcup } a_2)\) such that:

$$\begin{aligned}&\left( \overrightarrow{v}, \overrightarrow{v}'\right) \in \gamma (a_1) \cup \gamma (a_2) \\&\quad {\Rightarrow }\ \overrightarrow{v}' = \overrightarrow{v} \cdot C + \overrightarrow{d} \wedge (C:\overrightarrow{d})\in \gamma \left( base(a_1)\right) \\&\quad \text { (Without loss of generality). } \\&\quad {\Rightarrow }\ \overrightarrow{v}' = \overrightarrow{v} \cdot C + \overrightarrow{d} \wedge (C:\overrightarrow{d})\in \gamma (base(a_1) \sqcup base(a_2)) \\&\quad {\Rightarrow }\ \left( \overrightarrow{v}, \overrightarrow{v}'\right) \in \gamma (a_1 \tilde{\sqcup } a_2) \text { (by soundness of join on }\mathcal {B}\text {)} \\&\quad \text { (Contradiction!)} \end{aligned}$$

\(\square \)

The soundness of widening, statement abstractions, and identity function are easy to prove, and follow similar reasoning.

Soundness of abstract composition

In this section, we show that the abstract-composition operations defined in Sect. 4.2 are sound. From Eq. (2), an exact abstract composition \(C_e=\gamma (a' \circ a)\) is defined as follows:

$$\begin{aligned}&C_e = \left\{ \left( \overrightarrow{v}, \overrightarrow{v}'\right) \ \vert \ \exists \left( C:\overrightarrow{d}\right) \in \gamma \left( base\left( a\right) \right) , \left( C':\overrightarrow{d}'\right) \in \gamma \left( base\left( a'\right) \right) , \left( C'':\overrightarrow{d}''\right) {:}\right. \\&\left. \left( \overrightarrow{v}' = \overrightarrow{v} \cdot C'' + \overrightarrow{d}''\right) \wedge \left( C'' = C\cdot C'\right) \wedge \left( \overrightarrow{d}'' = \overrightarrow{d} \cdot C' + \overrightarrow{d}'\right) \right\} \end{aligned}$$

1.1 Non-relational base domain

In this section, we show that the fast abstract composition for \({\text {ATA}}[\mathcal {B}]\) (Eq. (4)), when \(\mathcal {B}\) is non-relational, is sound. Remember that any non-relational domain can be formulated as follows: \(\mathcal {B}\ {\mathop {=}\limits ^{def}}\ symbols(C:\overrightarrow{d}) \rightarrow \mathcal {F}_{\mathcal {B}}\). The term b[s], where \(b\in \mathcal {B}\) and \(s\in symbols(C:\overrightarrow{d})\), refers to the element in the foundation domain \(f\in \mathcal {F}_{\mathcal {B}}\) corresponding to the symbol s.

Axiom 1

Abstract addition is sound for \(\mathcal {F}_{\mathcal {B}}\); i.e.,

$$\begin{aligned} e_1\in \gamma (f_1) \wedge e_2\in \gamma (f_2) {\Rightarrow }e_1 + e_2 \in \gamma (f_1 +^\sharp f_2) \end{aligned}$$

(17)

Axiom 2

Abstract multiplication is sound for \(\mathcal {F}_{\mathcal {B}}\); i.e.,

$$\begin{aligned} e_1\in \gamma (f_1) \wedge e_2\in \gamma (f_2) {\Rightarrow }e_1 \times e_2 \in \gamma (f_1 \times ^\sharp f_2) \end{aligned}$$

(18)

Theorem B.1

(Soundness of \(\circ _{{\text {NR}}}\))

$$\begin{aligned} C_e \subseteq \gamma (a' \circ _{{\text {NR}}} a). \end{aligned}$$

(19)

Proof

We will prove Theorem B.1 by contradiction. Consider a model \(m=(\overrightarrow{v}, \overrightarrow{v}'')\), such that \(m \in C_e\) and \(m \notin \gamma (a' \circ _{{\text {NR}}} a)\). We will show that such a model cannot exists.

\(\square \)

1.2 Weakly-convex base domain

In this subsection, we present a proof of soundness of abstract composition for weakly-convex base domains, denoted by \(a' \circ _{{\text {WC}}} a\) (Eq. (7)).

We present some useful axioms and lemmas before presenting the soundness theorem and its proof. Let \(min_{\mathbb {Z}_{2^w}}\) and \(max_{\mathbb {Z}_{2^w}}\) be the minimum and maximum bitvector values in \(\mathbb {Z}_{2^w}\). Let \(min_\mathbb {Q}= min_{\mathbb {Z}_{2^w}}\) and \(max_\mathbb {Q}= max_{\mathbb {Z}_{2^w}}\).

Axiom 3

\(cast_{\mathbb {Q}}\) is distributive over bitvector addition in the absence of overflows: that is, if \(min_\mathbb {Q}\le cast_{\mathbb {Q}}(bv_1)+cast_{\mathbb {Q}}(bv_2)\le max_\mathbb {Q}\), where \(bv_1, bv_2 \in \mathbb {Z}_{2^w}\), then

$$\begin{aligned} cast_{\mathbb {Q}}(bv_1) + cast_{\mathbb {Q}}(bv_2) = cast_{\mathbb {Q}}(bv_1+bv_2) \end{aligned}$$

(20)

Axiom 4

\(cast_{\mathbb {Q}}\) is distributive over bitvector multiplication in the absence of overflows: that is, if \(min_\mathbb {Q}\le cast_{\mathbb {Q}}(bv_1)\cdot cast_{\mathbb {Q}}(bv_2)\le max_\mathbb {Q}\), where \(bv_1, bv_2 \in \mathbb {Z}_{2^w}\), then

$$\begin{aligned} cast_{\mathbb {Q}}(bv_1) \cdot cast_{\mathbb {Q}}(bv_2) = cast_{\mathbb {Q}}(bv_1\cdot bv_2) \end{aligned}$$

(21)

Lemma B.1

\(cast_{\mathbb {Q}}\) is distributive over matrix multiplication for bitvectors, if there are no overflows in the matrix multiplication. That is, for \(n\times n\) matrices M and \(M'\) where \(\forall _{1\le i,j\le n} M[i,j], M'[i,j] \in \mathbb {Z}_{2^w}\),

$$\begin{aligned} cast_{\mathbb {Q}}(M) \times cast_{\mathbb {Q}}(M') = cast_{\mathbb {Q}}(M\times M'). \end{aligned}$$

(22)

Proof

Let \(M'' = cast_{\mathbb {Q}}(M) \times cast_{\mathbb {Q}}(M')\). Then,

\(\square \)

Lemma B.2

A convex combination of a set of rationals is inside bitvector boundaries if each of the rational values in the set is inside bitvector boundaries. Given any \(0\le \lambda _1, \lambda _2, \dots , \lambda _l\le 1\), such that \((\mathop {\sum }\nolimits _{i=1}^{l} \lambda _i=1)\).

$$\begin{aligned} min_{\mathbb {Q}} \le q_1, q_2, \ldots , q_l\le max_{\mathbb {Q}} \,{\Rightarrow }\, min_{\mathbb {Q}} \le \overset{l}{\underset{i=1}{\Sigma }} \lambda _i q_i \le max_{\mathbb {Q}} \end{aligned}$$

(23)

Proof

Suppose \(min_{\mathbb {Q}} > \mathop {\sum }\nolimits _{i=1}^{l} \lambda _i q_i\).

$$\begin{aligned}&{\Rightarrow }\ \left( min_{\mathbb {Q}}> \overset{l}{\underset{i=1}{\Sigma }} \lambda _i min_{\mathbb {Q}}\right) \left( \text {because } min_{\mathbb {Q}} \le q_1, q_2, \ldots , q_l \right) \\&{\Leftrightarrow }\ \ min_{\mathbb {Q}}> \overset{l}{\underset{i=1}{\Sigma }} \lambda _i min_{\mathbb {Q}}\ {\Rightarrow }\ \left( min_{\mathbb {Q}} > min_{\mathbb {Q}}\right) \left( \text {because } \left( \overset{l}{\underset{i=1}{\Sigma }} \lambda _i=1\right) \right) . \\&{\Leftrightarrow }\ \ \textit{false} \end{aligned}$$

Consequently, \(min_{\mathbb {Q}} \le \mathop {\sum }\nolimits _{i=1}^{l} \lambda _i q_i\). The other inequality \(\mathop {\sum }\nolimits _{i=1}^{l} \lambda _i q_i\le max_{\mathbb {Q}}\) can be proved in a similar fashion. \(\square \)

Lemma B.3

There are no overflows in a matrix multiplication of a convex combination of matrices, if there are no overflows in the matrix multiplications of the underlying matrices involved in the convex combination.

(24)

and,

(25)

Proof

Because \((t_i \times t_j')\) does not overflow, we know that each entry in the computation of the matrix multiplication does not overflow:

$$\begin{aligned} \forall _{1\le p,q\le o}: min_{\mathbb {Q}} \le \Sigma _{n=1}^o cast_{\mathbb {Q}}(t_i[p,n]) \cdot cast_{\mathbb {Q}}(t_j'[n,q]) \le max_{\mathbb {Q}} \end{aligned}$$

(26)

where \(t_i\) and \(t_j'\) are \(o\times o\) matrices.

Suppose that \(l'' = l\cdot l'\) and . Then, \(\overset{l''}{\underset{m=1}{\Sigma }} \lambda _m'' = \mathop {\sum }\nolimits _{i=1}^{l'} \lambda _i \cdot \mathop {\sum }\nolimits _{j=1}^{l'} \lambda _j' = 1\cdot 1 = 1\). Then, by applying Lemma B.2 to Eq. (26), we get for all \(1\le p,q\le o\):

Hence \((t \times t')\) does not overflow. \(\square \)

Theorem B.2

(Soundness of \(\circ _{{\text {WC}}}\))

$$\begin{aligned} C_e \subseteq \gamma (a' \circ _{{\text {WC}}} a). \end{aligned}$$

(27)

Proof

Consider any model \(m=(\overrightarrow{v}, \overrightarrow{v}'')\), such that \(m \in C_e\). To prove Theorem B.2, we need to show that \(m \in \gamma (a' \circ _{{\text {WC}}} a)\). Equation (7) defines \(a'' = a' \circ _{{\text {WC}}} a\) as follows

$$\begin{aligned} base(a'') =&{\left\{ \begin{array}{ll} \bigsqcup \left\{ {\beta (t_i \times t_j') \vert \ 1\le i\le l, 1\le j\le l'} \right\} &{} \textit{if there are no overflows in any} \\ &{} \textit{matrix multiplication } t_i \times t_j' \\ \top _{\mathcal {B}} &{} \textit{otherwise} \end{array}\right. } \nonumber \\&\text {where } base(a)=\left\{ {t_1,t_2,\ldots ,t_l} \right\} \textit{ and } base(a')=\left\{ {t_1',t_2',\ldots ,t_{l'}'} \right\} . \end{aligned}$$

(28)

We know that for \(m=(\overrightarrow{v},\overrightarrow{v}')\),

(29)

By the properties of weakly-convex domains (see Sect. 4.2.4), we know that

(30)

(31)

To show that \(m \in \gamma (a' \circ _{{\text {WC}}} a)\), we consider two cases.

Overflows in matrix multiplication. If there is an overflow encountered in any matrix multiplication \(t_i \times t_j'\), then \(base(a'') = \top _{\mathcal {B}}\) and consequently, \(m \in \gamma (a' \circ _{{\text {WC}}} a)\) is true trivially.

No overflows in matrix multiplication. If there is no overflow encountered in any of the matrix multiplications \(t_i \times t_j'\), then it suffices to prove that

$$\begin{aligned} \left( C'':\overrightarrow{d}''\right) \in \bigsqcup _{i=1}^l \bigsqcup _{j=1}^{l'} \left\{ \beta \left( t_i \times t_j'\right) \right\} . \end{aligned}$$

(32)

Equation (32) translates to proving that for some \(\{\lambda _1'', \lambda _2'',\ldots , \lambda _{l''}''\}\):

(33)

where , and \(\overset{l''}{\underset{m=1}{\Sigma }} \lambda _m'' = \mathop {\sum }\nolimits _{i=1}^{l'} \lambda _i \cdot \mathop {\sum }\nolimits _{j=1}^{l'} \lambda _j' = 1\cdot 1 = 1\).

Soundness of merge functions

In this section, we show that the merge operation defined in Sect. 4.4 is sound. Recall that the merge function is defined as:

(34)

As mentioned in (9), the exact merge-function semantics are specified as follows:

(35)

Theorem C.1

Soundness of the merge function

$$\begin{aligned} {\textsc {Merge}}(\gamma (a), \gamma (a')) \subseteq \gamma (Merge(a, a')). \end{aligned}$$

(36)

Proof

We will prove Theorem 4.3 by contradiction. Consider a model \(m=(\overrightarrow{g_m},\overrightarrow{l_m};\overrightarrow{g_m}',\overrightarrow{l_m}')\), such that \(m \in {\textsc {Merge}}(\gamma (a), \gamma (a'))\) and \(m \notin \gamma (\textit{Merge}(a, a'))\). Let \(a_{RevLocs}\in {\text {ATA}}[\mathcal {B}]\) be an abstract domain value such that

$$\begin{aligned} base(a_{RevLocs}) = havoc(base(a'),lsyms)\sqcap havoc(base(Id), gsyms) \end{aligned}$$

(37)

By the soundness of abstract composition, existence of m implies existence of \(n=(\overrightarrow{g_n},\overrightarrow{l_n};\overrightarrow{g_n}',\overrightarrow{l_n}')\), such that \(n\in {\textsc {RevertLocals}}(\gamma (a'))\) and \(n \notin \gamma (a_{RevLocs})\). We will show that n cannot exist. Consequently, m cannot exist, and thus merge is sound.

If the abstract meet is exact, then the implication in the fourth-from-last step of the proof becomes an if and only if (\({\Leftrightarrow }\)). Furthermore, if the abstract-composition operation is exact, then the implication in the last step of the proof becomes an if and only if (\({\Leftrightarrow }\)). Thus, if abstract meet and abstract composition are exact, the merge operation is exact.