Automatic Modular Abstractions for Linear Constraints

We propose a method for automatically generating abstract transformers for static analysis by abstract interpretation. The method focuses on linear constraints on programs operating on rational, real or floating-point variables and containing linear assignments and tests. In addition to loop-free code, the same method also applies for obtaining least fixed points as functions of the precondition, which permits the analysis of loops and recursive functions. Our algorithms are based on new quantifier elimination and symbolic manipulation techniques. Given the specification of an abstract domain, and a program block, our method automatically outputs an implementation of the corresponding abstract transformer. It is thus a form of program transformation. The motivation of our work is data-flow synchronous programming languages, used for building control-command embedded systems, but it also applies to imperative and functional programming.

💡 Research Summary

The paper presents a fully automated method for synthesizing abstract transformers used in static analysis by abstract interpretation, focusing on programs that manipulate rational, real, or floating‑point variables through linear assignments and tests. The authors observe that traditional abstract interpreters require hand‑written transformer functions for each program construct and each abstract domain (e.g., intervals, polyhedra). Because the space of possible program blocks is infinite and users may wish to employ a wide variety of abstract domains, manual provision of transformers is infeasible.

To overcome this limitation, the authors propose a three‑stage pipeline: (1) represent a program block as a logical formula describing its concrete transition relation; (2) eliminate existential quantifiers from that formula using modern SAT/SMT‑based quantifier‑elimination techniques; (3) compile the resulting quantifier‑free formula into an executable piece of code consisting only of tests and assignments, which serves as the optimal abstract transformer for the chosen abstract domain.

The abstract domains considered belong to the class of template linear constraint domains. A template is a conjunction of linear inequalities of the form L_i(s) ≤ p_i, where the left‑hand sides L_i are fixed linear forms over the state variables s, and the right‑hand sides p_i are domain parameters. This class subsumes classical intervals, difference‑bound matrices, octagons, and more general octahedra. For a given template F(p,s) the concrete semantics is captured by the Galois connection (α_F,γ_F), where γ_F maps a parameter vector p to the set of concrete states satisfying F, and α_F maps a concrete set to the least upper‑approximation in the template.

Concrete semantics of a loop‑free block are expressed as an existentially quantified formula J⟦P⟧. Each elementary command (assignment, test, nondeterministic choice, failure, skip) is translated into a linear equality/inequality together with logical connectives. Sequential composition introduces existential quantifiers for intermediate variables, while tests introduce disjunctions. The resulting formula precisely characterizes the input‑output relation of the block.

Quantifier elimination is the core technical contribution. While quantifier elimination for linear arithmetic is known to be theoretically possible, earlier algorithms (e.g., Ferrante‑Rackoff) were doubly exponential and unusable in practice. The authors leverage recent advances in SAT/SMT solving to implement a practical elimination algorithm that also produces a disjunctive normal form (DNF) and simplifies formulas modulo user‑provided assumptions. After elimination, the formula contains only the original input parameters and the output parameters, linked by a (piecewise) linear relation. This relation is exactly the optimal abstract transformer: it yields the smallest possible over‑approximation of the concrete semantics within the chosen template domain.

For loops and recursive procedures, the method computes the least inductive invariant in the template domain. The loop body is treated as a block B with transition relation Φ(p_in,p_out). The invariant is the least fixed point of the functional λp. Φ(p_in,p), which can be obtained by solving a set of linear constraints derived from the quantifier‑eliminated formula. Importantly, no widening operator is used; the invariant is mathematically exact (subject to the template’s expressive power). This eliminates the common source of imprecision associated with widening in traditional abstract interpretation.

The quantifier‑free formulas are then compiled into executable code. The compilation step translates each conjunctive clause into a sequence of assignments, and each disjunctive clause into a conditional branch. The resulting code can be loaded dynamically into an analyzer, reused for multiple calls, and even stored for later analysis of other programs. Because the generated transformer is itself a small program, it can be optimized by a conventional compiler, yielding negligible runtime overhead.

The authors also discuss several extensions: handling of infinite bounds (±∞) for parameters, support for certain non‑convex templates (e.g., absolute value), partitioning of the state space to improve precision, and modeling floating‑point operations using real‑number abstractions with error intervals. They illustrate the approach on synchronous data‑flow languages such as Lustre and Simulink, on low‑level assembly fragments, and on classic recursive examples like the McCarthy 91 function. Experimental results show that the automatically generated transformers are more precise than hand‑crafted interval transformers and avoid the loss of precision caused by sequential composition of locally optimal operations.

In summary, the paper delivers a novel, fully automated framework that (i) translates any loop‑free linear program fragment into an exact logical description, (ii) eliminates quantifiers to obtain the tightest possible abstract relation within a user‑specified template domain, (iii) extends the technique to compute exact least inductive invariants for loops and recursion without widening, and (iv) produces executable transformer code suitable for modular, reusable static analysis. This advances the state of the art in abstract interpretation by dramatically reducing the manual effort required to support new abstract domains and by delivering higher‑precision analyses for safety‑critical embedded software.