A zonotopic framework for functional abstractions

A Zonotopic F ramew ork for F unctional Abstractions Eric Goubault and Sylvie Putot CEA LIST, Lab oratory for the Mod elli ng and An alysis of Interacting Systems, P oin t courrier 94, Gif-sur-Yvette, F-91191 F rance, Firstname. Lastname@ cea.fr Abstract. This article formalizes an abstraction of input/outp ut re- lations, based on parameterized zonotop es, whic h we call affine sets. W e describe the ab stract transfer functions and prov e their correctness, whic h allow s the generation of accurate numerical inv arian ts. Ot h er ap- plications range from comp ositional reasoning t o pro ofs of user-defin ed complex inv ariants and test case generation. 1 In t r oduction W e present in this pap er an abs tract do ma in based on affine arithmetic [4] to bo und t he v a lues of v ariables in num erical pr ograms, with a real num b er seman- tics. Affine arithmetic can b e co nceiv e d as describing particular p olytop es, called zonotop es [19], which a re bounded and center-symmetric. But it do es so by ex- plicitly para metrizing the p oin ts, as affine combinations of sym b olic v ariables, called noise symbols . This parametriza tion k eeps , in an implicit manner, the affine corr elations b etw een v alues of pr ogram v ariables, by sharing some of these noise symbols. I t is tempting then to attribute a meaning to these noise symbo ls, so that the abs tract elements we are considering ar e no longer merely p olytop es, but have a functional interpretation, due to their particula r parametriza tion: we define abstract e lemen ts as tuples of affine forms, which we call a ffine sets. They define a so und a bstraction o f relations that ho ld betw een the curr en t v alues of the v a riables, for each control p oint, and the inputs of a prog r am. The interests of abstracting input/o utput r elations are well-kno wn [6], we mention but a few: more precise and sca lable interpro cedural abstr actions, pr oofs of co mplex inv ar i- ants (inv olving relations betw een inputs a nd outputs), sensitivity analysis and test case g e ne r ation as exe mplified in [7]. An abstract do main relying on such affine forms has been describ ed in [8,11,13], but these descr iptions miss complete for malization, and ov er- approximate the input/output rela tio ns mo re than necessary . In this pap er, w e extend this pre- liminary work by presenting a natura l fra mew o r k for this domain, with a pa rtial order relatio n that allows K leene like iteration for accurately so lving fixed po in t equations. In particular, a partial order that is now globa l to the abstr act s ta te, and no longer defined independently on each v aria ble , allows to use r e lations also b et ween the sp ecial noise symbols cre ated by taking an upper b ound of tw o affine forms. Our results are illus trated with sample co mputations and geometric int erpretations. 2 Eric Goubault and Sy lvie Putot A preliminary version of this abstra ct doma in, extended to analys e the uncer- taint y due to floating-p oint computations, is used in practice in a real industria l- size sta tic analyser - FLUCTUA T - whos e applications have b een descr ibed in [7,14]. A preliminar y version of this doma in, dedicated to the a nalysis of compu- tations in r e al num b ers, is also implemen ted a s an abstract domain - T aylor1+ [8] - of the o pen-so urce librar y APRON [1 7]. R elate d work Apart fro m the work o f the author s alr eady mentioned, that use s zonotop es in s tatic analysis , a lar ge amo unt of work has b een carried out mostly for reachabilit y analysis in hybrid systems using zonotop es, see for ins tance [9]. One co mmon feature with o ur work is the fact that zonotopic metho ds pr o ve to be prec is e and fa st. But in g e neral, in hybrid sy stems analysis, no union op erator is defined, wherea s it is an essential feature o f our w or k. Also, the methods used are purely geo metr ical: no information is kept co nc e r ning input/output relationships, e.g. as witness ed by the metho ds used for co mputing intersections [10]. Zonotop es hav e also been used in imag ing, in collision detectio n for instance, see [16], where pure ly geo metrical joins hav e been defined. Recent work in s ta tic analys is b y abstract interpretation for input/output relations a bstraction and modula r analys e s ca n b e found in [6], wher e an e x am- ple is given in particular using p olyhedra. In [5], it is shown tha t so me clas s ical analyses (e.g. My croft’s strictness a na lysis) a re input/output rela tional a naly- ses (also ca lle d dep endence-sensitive analyses). Applications o f a bstractions of input/output relations hav e been developped, in particular for points-to alias analysis, using s ummary functions, s e e for instance [3]. Contents In Sec tio n 2, we quickly intro duce the pr inciples of a ffine arithmetic, and sho w the interest o f a domain with explicit parametrization of zo notopes , compared to its geometric counterpart, through simple examples. Then in Sec- tion 3, we state prop erties of affine sets. Intro ducing a matrix r epresentation, we make the link betw een the affine sets and their zono tope c o ncretisation. W e then int ro duce p erturb ed affine sets, that will allow us to define a partially ordered structure. Starting with a thor o ugh explanation of the int uition a t Section 4.1, we then describ e the partial order rela tion in Sectio n 4.3, the monotonic abstract transfer functions in Section 4.4, and the join op erator in Se c tion 4.5. F or int rin- sic r easons, our abstr a ct do main do es not have leas t upper b ounds, but minimal upper b ounds. W e show in Sec tion 4.6 that a form o f b ounded-completeness holds that allows Kleene-like iter ation for s olving fixed p oint equations. By lack of s pace, we do no t demonstrate here the behaviour of our abstract do main on fixed-p oin t computations, but re s ults on preliminary versions of our doma in are describ ed in [8,13]. 2 Abstracting input/output relations with affine arithmetic Affine arithmetic Affine ar ithmetic is an extensio n of interv a l ar ithmetic on affine forms , first intro duced in [4 ], that ta kes into account affine co rrelations A Zonotopic F ramew ork for F unctional A bstractions 3 betw een v ariables. An affine form is a forma l sum ov er a set of noise symb ols ε i ˆ x def = α x 0 + n X i =1 α x i ε i , with α x i ∈ R for all i . Each no ise symbol ε i stands for an indep enden t co mponent of the total uncertaint y on the quantit y ˆ x , its v alue is unkno wn but bounded in [-1,1]; the cor resp o nding co efficient α x i is a known rea l v alue, which gives the magnitude of that comp onent. The same noise symbol c a n b e shared by several quantities, indicating corr elations among them. These noise symbols can no t only mo del uncerta in ty in data or par ameters, but a lso uncer tain ty coming from computation. The seman tics of affine o peratio ns is straightforw a rd, non affine o pera tions are linearized : we refer the rea der to [1 1,13] for more details on the semant ics for static a nalysis. Intr o ductory examples Consider the simple interpro cedural progra m : float main() { float x ∈ [-1,1]; return f(x)-x; } float f(float x) { float y; if (x >= 0) y = x + 1; else y = x - 1; return y; } In o rder to analyse this prog ram precisely , w e need to infer the relation betw een the input a nd output of function f , since the ma in function s ubtracts the input of f fro m its o utput. W e will show in Section 4.1 that our metho d gives an accurate r epresent ation of such input/o utput r elations, at low cos t, easily pr o ving here that main returns a num b er betw een -1 a nd 1. W e will also show that even tight g eometric repr esen ta tions o f the image o f f on [a ,b] may fail to prove this. Another int erest of our metho d is to allow co mp ositional abs tr actions for int erpro cedural ca lls [6], making our domain very s calable. F o r ins tance, the abstract v a lue for the output of f , as found in Section 4.1, repr esen ts the fact that its v alue is the v alue o f the input plus an unknown v alue in [-1 ,1]. In fact a little more might b e found o ut, which would lay the bas is for efficient disjunctive analyses, where we would find that the output of f is its input plus an unknown v alue in {− 1 , 1 } . This is left for future w ork. This compact repr esen ta tion can be use d as an abstract summary function (akin to the ones o f [3] or of [5]) for f which can then b e reused without re-a nalysis for each calls to f . The complete discussion of this a spect is nevertheless outside the scop e of this pap er. Last but not least, input/output re la tions that ar e dea lt with by our metho d allow pro ofs of complex in v ariants, a nd tes t c a se generatio n at low cost. Consider for instance the following progr am, where g computes an approximation of the square ro ot of x using a T aylor expa nsion of deg ree 2, cen tered at p oin t 1: 4 Eric Goubault and Sy lvie Putot float main() { float x ∈ [1,2], z, t; z = g(x); t = z*z-x; return t; } float g(float x) { float y; y = 3/8.0+ 3/4.0*x-1 /8.0*x*x return y; } With our semantics, we will find the following abstr a ct v alue for x , z and t : x = 3 2 + 1 2 ε 1 , z = 19 16 + 3 16 ε 1 − 1 64 ε 2 and t = − 567 8192 − 7 128 ε 1 − 19 512 ε 2 − 169 8192 ε 3 . This prov es that z is within [ 63 64 , 89 64 ] ∼ [0 . 98 4 , 1 . 391] (real res ult is [1 , 1 . 375]), and that t is within [ − 93 512 , 329 4196 ] ∼ [ − 0 . 1 8 2 , 0 . 078 ] (rea l result is [ − 0 . 066 , 0]). This means that we get a r ather prec is e estimate of the quality of the alg orithm that approximates the square ro ot. Finally , examining the dependency o f t on the nois e symbol mo delling the input, we see that ε 1 = 1, that is x = 2, is the most likely v a lue for reaching the maximum of t , in absolute v alue. This input v alue is thus a go o d test case to maximize the algorithmic error b etw een the approximation of s q uare ro ot and the real squa r e ro ot. Here it do es indeed corres p ond to the worst cas e. These a pplications ar e detailed in [7], and str onger statements ab out test case generatio n can b e found in [12], where a gener a lized form for abstra ct v alues is used for under-appr oximations. 3 Affine sets and zonotop es : notations and prop erties In what follows, we introduce matrix no ta tions to handle tuples o f affine forms, which we call a ffine sets, a nd characterize the geo metric concre tisation of sets of v alues taken by these affine sets. W e note M ( n, p ) the s pace o f matr ices with n lines and p columns of rea l co efficien ts . An affine s et expressing the set of v alues taken by p v ariables ov er n nois e symbols ε i , 1 ≤ i ≤ n , can b e represe nted by a matrix A ∈ M ( n + 1 , p ). F or example, co ns ider the affine set ˆ x = 20 − 4 ε 1 + 2 ε 3 + 3 ε 4 (1) ˆ y = 10 − 2 ε 1 + ε 2 − ε 4 , (2) we hav e n = 4, p = 2 and : t A =  20 − 4 0 2 3 10 − 2 1 0 − 1  . Two matrix multiplications will b e of interest in wha t follows : – Au , where u ∈ R p , repre s en ts a linea r comb ination of our p v ariables, ex - pressed on the ε i basis, – t Ae , wher e e ∈ R n +1 , e 0 = 1 and k e k ∞ = max 0 ≤ i ≤ n | e i | ≤ 1, represents the vector of a ctual v alues tha t our p v ariables take for the pa r ticular v a lues e i for ea c h of our ε i noise v a riables. In this case, the additiona l symbol e 0 which is equal to 1, a c coun ts for constant terms, a s done for instance in the zone abstrac t doma in [18]. W e formally define the zonotopic concr e tisation of a ffine sets b y : A Zonotopic F ramew ork for F unctional A bstractions 5 Definition 1. L et an affine set with p variables over n noise symb ols, define d by a m atrix A ∈ M ( n + 1 , p ) . Its c oncr etisation is the zonotop e γ ( A ) =  t A t (1 | e ) | e ∈ R n , k e k ∞ ≤ 1  ⊆ R p . We c al l its line ar c oncr etisation the zonotop e c enter e d on 0 γ lin ( A ) =  t Ae | e ∈ R n +1 , k e k ∞ ≤ 1  ⊆ R p . F or ex ample, Figure 1 represents the concretiza tio n of the affine set defined b y (1) and (2). It is a zonoto pe with center (20 , 10) given b y the vector o f c onstan t co efficien ts o f the affine forms. x y 10 15 20 25 30 5 10 15 Fig. 1 . Zo notope co ncretization γ ( A ) of affine set { (1)-(2) } Zonotop es are pa rticular b ounded convex p olyhedra [1 9]. A wa y to charac- terize co nvex s ha pes is to consider suppo r t functions. F o r any direction t ∈ R p , let p t the function whic h a ssoc ia tes to all x ∈ R p , p t ( x ) = h t, x i where h ., . i is the s tandard scalar pro duct in R p , meaning that p t ( x ) = P p i =1 t i x i . Level-sets of s upport functions, i.e. sets defined by b ounds on suc h functions character iz e conv ex sets [1], and nice ly characterize zono to pes centered o n 0: Lemma 1. L et S b e a c onvex shap e in R p . Then S c an b e char acterize d as the (p ossibly infinite) interse ction T t ∈ R p B t of half-sp ac es of the form B t = { x ∈ R p | p t ( x ) ≤ sup y ∈ S p t ( y )] } In c ase S is a zonotop e c enter e d ar ound 0 , it has finitely m any fac es with normals t i ( 1 ≤ i ≤ k ), and this interse ction is finite: S = \ 1 ≤ i ≤ k  x ∈ R p | | p t i ( x ) | ≤ sup y ∈ S p t i ( y )  F urthermore, there is an ea sy wa y to characterize the linear concretization γ lin ( A ) (see also [15]): Lemma 2. Given a matrix A ∈ M ( n + 1 , p ) , for al l t ∈ R p , s up y ∈ γ lin ( A ) p t ( y ) = k At k 1 , wher e k e k 1 = P n i =0 | e i | is the ℓ 1 norm. 6 Eric Goubault and Sy lvie Putot Proof. Firs t of all, γ lin ( A ) is the image o f the unit disc fo r the L ∞ norm by t A as we noted in Definition 1. Therefor e, sup { y ∈ γ lin ( A ) } p t ( y ) = sup { e ∈ R n +1 , k e k ∞ ≤ 1 } p t ( t Ae ) W e now have p t ( t Ae ) = h t, t Ae i = h At, e i = P n i =0  P p j =1 a i,j t j  e i ≤ P n i =0    P p j =1 a i,j t j    k e k ∞ = k At k 1 k e k ∞ This b ound is reached for e i = sig n  P p j =1 a i,j t j  , which is such that k e k ∞ = 1. ⊓ ⊔ W e illustra te Lemma 2 in Fig ure 2. Consider the matrix A ′ asso ciated to a ffine set { (1) -(2) } without its center. Its affine co ncretisation is the sa me zo notope as γ ( A ) but centered o n 0. F or l ∈ R , t ∈ R p , the ( l , t )-level set corresp onds to p oint s on the hype rplane defined b y : for x ∈ R p , p t ( x ) = h t, x i = l . This hyperplane is ortho gonal to the line L t going throug h 0, with dir e ction t . It int ersects L t at a po in t y = λt such that k t k 2 2 λ = l . Given t a dir ection in R 2 , the ( l, t )-level s et that intersects γ lin ( A ′ ) with maximal v alue fo r l realizes l = sup γ lin ( A ′ ) p t ( y ) = k A ′ t k 1 by Lemma 2 . W e now take three vectors t such that k t k 2 = 1. F or t 1 = t (1 , 0), k A ′ t 1 k 1 = 9, w e find the maximum of its concretisa tion on the x -ax is to b e 9. F or t 2 = t (3 / 5 , 4 / 5), k A ′ t 2 k 1 = 7 / 5, a nd γ lin ( A ′ ) ⊆ H t 2 , where H t 2 is the region (or band) b etw een the line ortho gonal to t 2 depicted as a blue dashe d line and its symmetric with r espect to zero . F or t 3 = t (2 / √ 40 , 6 / √ 40) which is or thogonal to a face o f the zo notope, k A ′ t 3 k 1 = 3 / 4 and γ lin ( A ′ ) ⊆ H t 3 , which is the ba nd b etw een the tw o parallel faces in g r een. And indeed, for any matrix A , γ lin ( A ) is entirely describ ed by providing the set of v alues k At k 1 , where t v arie s among all directions in R p : Lemma 3. F or matric es X ∈ M ( n, p ) and Y ∈ M ( m, p ) , we have γ lin ( X ) ⊆ γ lin ( Y ) if and only if k X u k 1 ≤ k Y u k 1 for al l u ∈ R p . Proof. Supp ose first that k X u k 1 ≤ k Y u k 1 for all u ∈ R p . By first part of Lemma 1, γ lin ( X ) = \ t ∈ R p { x ∈ R n | p t ( x ) ∈ [ inf y ∈ γ ( X ) p t ( y ) , sup y ∈ γ ( X ) p t ( y )] } with sup y ∈ γ ( X ) p t ( y ) = − inf y ∈ γ ( X ) p t ( y ) = k X t k 1 by Lemma 2. Thus γ lin ( X ) = \ t ∈ R p { x ∈ R n | | p t ( x ) | ≤ k X t k 1 } ⊆ \ t ∈ R p { x ∈ R n | | p t ( x ) | ≤ k Y t k 1 } = γ lin ( Y ) . A Zonotopic F ramew ork for F unctional A bstractions 7 x y − 10 0 10 − 5 5 t 1 k At 1 k 1 2 k At 1 k 1 t 2 2 k At 2 k 1 t 3 2 k At 3 k 1 Fig. 2. Affine co ncretization γ lin ( A ′ ) of affine se t (1)-(2) without its center Conv ers ely , s uppose γ lin ( X ) ⊆ γ lin ( Y ). Then k X t k 1 = sup x ∈ γ lin ( X ) p t ( x ) ≤ s up x ∈ γ lin ( Y ) p t ( x ) = k Y t k 1 . ⊓ ⊔ 4 P er turbed affine sets 4.1 Rationale Let us get ba c k to the pro g ram defining function f in Sec tio n 2. W e introduce a noise symbol ε 1 to re pr esen t the range of v alues [ − 1 , 1 ] for x . Using for example the sub-optimal join o pera tor describ ed in Lemma 10 to come, the affine set for x and y at the e nd of the progra m will b e x = ε 1 , y = ε 1 + η 1 , with a new (per turbation) no ise symbo l η 1 . The cor respo nding zonotop e Z 1 is depicted in solid red in Figur e 3. Z 1 Z 2 x y − 1 0 1 − 2 − 1 1 2 Fig. 3. Two abstr actions for the r esult of example function f defined Section 2 8 Eric Goubault and Sy lvie Putot Now, a better ge ometric al abstr action of the abstract v alue o f (x,y) is the zonotop e Z 2 depicted in dashed blue in Figure 3 . Since y=x+1 for p ositive x a nd y=x-1 for nega tiv e x , we only have to include the two segments in so lid dark in the smallest zonoto pe as po ssible. This is realized easily by a zonotop e defined by the faces x − y ∈ [ − 1 , 1] and y − 3 x ∈ [ − 3 , 3]. Let us take a new sym b ol η 2 to represent x − y , a nd η 3 to represent y − 3 x . This gives x = − 0 . 5 η 2 − 0 . 5 η 3 and y = − 1 . 5 η 2 − 0 . 5 η 3 . Although the corres ponding blue zono tope Z 2 is strictly included in the red zonotop e Z 1 , so it is ge ometric al ly mor e precise, we lo se re- lations to the input v alues . Indeed, symbols ε i express dep endencies to inputs of the prog ram, where a s s y m b ols η i do not. Thus, computing y minus the input of f , as in the mai n function of the example, gives − ε 1 − 1 . 5 η 2 − 0 . 5 η 3 ∈ [ − 3 , 3 ]. This ra ng e is far les s precise tha n using the representation Z 1 , wher e we find that this difference is equal to η 1 ∈ [ − 1 , 1 ]. If we were not in ter e sted in input/o utput rela tio ns, a clas sical abstraction based on a ffine s ets would b e using the geometrical order ing on zonotop es. W e would say that affine s et X is less or eq ual than Y iff γ ( X ) ⊆ γ ( Y ). F or the sake of simplicity in the present dis cussion, supp ose that γ ( X ) and γ ( Y ) are centered on 0. By Lemma 3 , we would then as k fo r k X t k 1 ≤ k Y t k 1 for all t ∈ R p . Now, be ing in teres ted in input/output r e la tions, we will k eep the existing symbols use d to express po ssible r a nges of v alues o f input v ariables (for instanc e , ε 1 defines the v alue of input v ariable x in the example ab ov e), and which should hav e a very strict interpretation, a s well as the no ise symbols due to (non linea r ) arithmetic op erations. W e call them the c entr al no is e s ym b ols (such as ε 1 ). And, to express uncerta in ty on these relations due to possibly different execution paths, we will a dd additional noise sy m b ols whic h we call p erturb ation no ise symbols (such as η 1 in the example a bov e). W e now define an ordered structure using these t wo sets of no ise sy m b ols. 4.2 Definition W e th us consider p erturb e d a ffine sets X as Minko ws k i sums [1] of a c entr al zonotop e γ ( C X ) and of a p erturb ation zonotop e (alwa ys centered on 0) γ lin ( P X ) : Definition 2. W e define a p erturb e d affine s et X by the p air of matric es ( C X , P X ) ∈ M ( n + 1 , p ) × M ( m, p ) . We c al l C X = ( c X ik ) 0 ≤ i ≤ n, 1 ≤ k ≤ p the c entra l matrix, and P X = ( p X j k ) 1 ≤ j ≤ m, 1 ≤ k ≤ p the p erturb ation matrix. The p erturb e d affine form π k ( X ) = c X 0 k + P n i =1 c X ik ε i + P m j =1 p X j k ε U j , wher e the ε i ar e the c entr al noise symb ols and t he η j the p erturb ation or union noise symb ols, describ es the k th variable of X. We c al l γ ( C X ) the c entra l z onotop e and γ lin ( P X ) the p erturb ation zonotop e. F or instance Z 1 as defined in Section 4.1 is descr ibed b y C 1 = (1 1 ), P 1 = (0 1) (first column corres p onds to v ariable x , seco nd column, to y ). Z 2 is de- A Zonotopic F ramew ork for F unctional A bstractions 9 scrib ed by C 2 = (0 0 ) (the line cor respo nding to ε 1 ) and P 2 =  − 0 . 5 − 1 . 5 − 0 . 5 − 0 . 5  (the first line co rresp onds to p erturbation sy m b ol η 2 , the seco nd to η 3 ). 4.3 Ordered structure Expressing X less or equal than Y on these p erturb ed affine s ets w ith the geometrical order yields k C X t k 1 − k C Y t k 1 ≤ k P Y t k 1 − k P X t k 1 , ∀ t ∈ R p . But ma ny transforma tio ns that leav e k C X t k 1 and k C Y t k 1 fixed for all t , and th us preserve that inequa lit y , lose the intended meaning of the cen tral noise symbols. W e can fix this easily , by strengthening this pr eorder. Note that for all t , k C X t k 1 − k C Y t k 1 ≤ k ( C X − C Y ) t k 1 , so defining X ≤ Y iff k ( C X − C Y ) t k 1 ≤ k P Y t k 1 − k P X t k 1 should imply the geometrical ordering at least (as we will prov e in Lemma 5). The go od p oint is that no tra nsformation on the cen tral noise symbols is al- low ed any lo nger using this preorder (as the characterization of the eq uiv alence relation generated by this preorder will show, see Lemma 4 ), keeping a strict int erpretation of the noise symbo ls de s cribing the v alues of the input v ariables, hence the input/o utput rela tions. W e now for malize and s tudy this stronger order : Definition 3. L et X = ( C X , P X ) , Y = ( C Y , P Y ) b e t wo p erturb e d affine sets in M ( n + 1 , p ) × M ( m, p ) . W e say that X ≤ Y iff sup u ∈ R p  k ( C Y − C X ) u k 1 + k P X u k 1 − k P Y u k 1  ≤ 0 Coming back to our example of Section 4.1, γ ( Z 2 ) ⊆ γ ( Z 1 ) but Z 2 6≤ Z 1 . T ake for instance t = t (1 , 1). Then k ( C 1 − C 2 ) t k 1 + k P 2 t k 1 − k P 1 t k 1 = 2 + 3 − 1 = 4 > 0. Lemma 4. The binary r elation ≤ of Definition 3 is a pr e or der. The e quivalenc e r elation gener ate d by this pr e or der is X ∼ Y iff by definition X ≤ Y and Y ≤ X . It c an b e char acterize d by C X = C Y and γ lin ( P X ) = γ lin ( P Y ) (ge ometric al ly sp e aking, as sets). We stil l denote ≤ / ∼ by ≤ in t he r est of t he tex t. Proof. Reflex ivit y of ≤ is immediate. Supp ose no w X ≤ Y and Y ≤ Z , then for all u ∈ R p : k ( C Y − C X ) u k 1 ≤ k P Y u k 1 − k P X u k 1 k ( C Z − C Y ) u k 1 ≤ k P Z u k 1 − k P Y u k 1 Using the triangula r inequality , we get k ( C Z − C X ) u k 1 ≤ k ( C Z − C Y ) u k 1 + k ( C Y − C X ) u k 1 ≤ k P Z u k 1 − k P Y u k 1 + k P Y u k 1 − k P X u k 1 ≤ k P Z u k 1 − k P X u k 1 10 Eric Goubault and Sy lvie Putot implying X ≤ Z , hence transitivity of ≤ . Finally , X ≤ Y and Y ≤ X imply that for a ll u ∈ R p , k ( C Y − C X ) u k 1 is less or equal than k P Y u k 1 − k P X u k 1 and is also less o r equal than k P X u k 1 − k P Y u k 1 . Hence ( C Y − C X ) u = 0 for all u , meaning C Y = C X and k P X u k 1 = k P Y u k 1 for all u . B y Lemma 3 this exactly means that γ ( P X ) = γ ( P Y ). ⊓ ⊔ Lemma 5. T ake X = ( C X , P X ) and Y = ( C Y , P Y ) . Then X ≤ Y implies γ  C X P X  ⊆ γ  C Y P Y  or said in a differ ent manner: γ ( C X ) ⊕ γ lin ( P X ) ⊆ γ ( C Y ) ⊕ γ lin ( P Y ) wher e ⊕ denotes the Minkowski sum. Note that X ≤ Y implies γ lin ( P X ) ⊆ γ lin ( P Y ) . Proof. It is easy to prov e that γ lin  C X P X  ⊆ γ lin  C Y P Y  given that X ≤ Y , using Lemma 3 a nd the tria ngular inequa lit y for k . k 1 . How ever, what we want is a little stronger. In orde r to de r iv e it, we define, for all matrix A of dimensio n ( n + 1 ) × p , a matrix e A of dimension ( n + 1) × ( p + 1 ) by e A =      1 0 . . . 0 A      The interest o f this tra nsformation, is that the zonotopic concretisa tion γ ( A ) is a particula r fa c e (which is the intersection with an hyperpla ne) o f the 0-centered zonotop e γ lin ( e A ) : γ ( A ) = γ lin ( e A ) ∩ { (1 , x 1 , . . . , x p ) | ( x 1 , . . . , x p ) ∈ R p } . (3) W e now prov e γ lin ^  C X P X  ⊆ γ lin ^  C X P X  . F or all t = t ( t 0 , . . . , t p ) ∈ R p +1 , k ^  C X P X  t k 1 − k ^  C Y P Y  t k 1 = k g C X t k 1 − k g C Y t k 1 + k P X t k 1 − k P Y t k 1 = | t 0 + P p k =1 c X 0 ,k t k | − | t 0 + P p k =1 c Y 0 ,k t k | + k ( c X i,k ) 1 ≤ i ≤ n, 1 ≤ k ≤ p t ( t 1 , . . . t p ) k 1 −k ( c Y i,k ) 1 ≤ i ≤ n, 1 ≤ k ≤ p t ( t 1 , . . . t p ) k 1 + k P X t k 1 − k P Y t k 1 ≤ | P p k =1 c X 0 ,k t k − P p k =1 c Y 0 ,k t k | + k ( c X i,k ) 1 ≤ i ≤ n, 1 ≤ k ≤ p t ( t 1 , . . . t p ) k 1 −k ( c Y i,k ) 1 ≤ i ≤ n, 1 ≤ k ≤ p t ( t 1 , . . . t p ) k 1 + k P X t k 1 − k P Y t k 1 ≤ k ( C Y − C X ) t k 1 + k P X t k 1 − k P Y t k 1 ≤ 0 Hence b y Lemma 3, γ lin ^  C X P X  ⊆ γ lin ^  C X P X  which, by (3), implies the result. ⊓ ⊔ A Zonotopic F ramew ork for F unctional A bstractions 11 The order we define is in fact e ssen tia lly more complex than the inclusion ordering, while still being computable: Lemma 6. The p artial or der ≤ is de cidable, with a c omplexity b ounde d by a p olynomial in p and an exp onential in n + m . Proof. The problem can b e s olv ed using O (2 ( n + m ) ) linear pro grams. Le t X = ( C X , P X ), Y = ( C Y , P Y ) b e t wo p erturb ed affine sets in M ( n + 1 , p ) × M ( m, p ). W e wan t to decide algorithmica lly whether X ≤ Y that is sup u ∈ R p  k ( C Y − C X ) u k 1 + k P X u k 1 − k P Y u k 1  ≤ 0 Lo oking at the pro of of Lemma 2, we se e tha t k Au k 1 = sup { e ∈ R n +1 , k e k ∞ ≤ 1 } n X i =0   p X j =1 a i,j u j   e i and that this bo und is reached for e ∈ R n +1 such that for all i , e i = 1 or e i = − 1. W e therefore pro duce, fo r ea ch e ∈ R n +1 , f ∈ R m +1 and g ∈ R m +1 , with, for all i , e i = 1 or e i = − 1, f i = 1 or f i = − 1 , g i = 1 or g i = − 1, the following linear prog ram: sup u ∈ R p   n X i =0 p X j =1 ( c Y i,j − c X i,j ) e i u j + m X i =1 p X j =1 p X i,j f i u j − m X i =1 p X j =1 p Y i,j g i u j   sub ject to   p X j =1 ( c Y i,j − c X i,j ) u j   e i ≥ 0 , ∀ 0 ≤ i ≤ n   p X j =1 p X i,j u j   f i ≥ 0 , ∀ 1 ≤ i ≤ n   p X j =1 p Y i,j u j   g i ≥ 0 , ∀ 1 ≤ i ≤ n that we solve using any linear progra m so lv er (with po lynomial complexity). W e then check for each pro blem that it is either not sa tisfiable o r its s uprem um is nega tive or zero. ⊓ ⊔ Hop e fully , there is no need to use this ge ner al decision pr o cedure in a static analyser by abstract interpretation. W e r efer the reader to the end of Section 4.6 for a discuss ion o n this po in t. 12 Eric Goubault and Sy lvie Putot 4.4 Extension of affine arithmetic on p erturb ed affine forms In terpretation of ass ignmen ts and correctness issue s W e detail b elo w the int erpretation of arithmetic expr essions, dealing first with affine as signmen ts , that do no t lose any precis ion. W e use a very simple form fo r the multiplication. There a re in fact more precise wa y s to co mpute a ssignmen ts containing p olyno- mial express io ns. Firstly , the multiplication formula can b e improv e d, see [8,11]. Secondly , when int erpreting a non-linear assig nmen t, it is b etter in pra ctice to int ro duce new noise sy m b ols for the ent ire expression, and not for ev er y non linear e le mentary op eration as w e present here. B ut for s ak e of s implicity , we do not descr ibe this here. No te also that we would need fo rmally to prov e that pro jections onto a subset of v a r iables (change of s cope), and renum ber ing of v ariables a re monoto nic o peratio ns, but these are eas y chec ks and we omit them here. Note finally that the pro ofs of monotonicity o f our transfer functions are not only convenien t for getting fixp oints for o ur a bstract semantics functionals. They ar e also ne c e ssary for proving the correctness of our appro ac h. As alr eady stated in [11,13], the correctness criterion we need relies on the prop erty that whenever X ≤ Y ar e tw o pe r turbed affine sets, a ll future ev aluations using ex- pressions e give smaller concr etisations star ting with X than s tarting with Y , i.e. γ ([ [ e ] ] X ) ⊆ γ ([ [ e ] ] Y ). This is proven ea sily a s follows: as [ [ e ] ] is a co mp osite of monotonic functions, [ [ e ] ] X ≤ [ [ e ] ] Y . The conclusio n holds b ecause of Lemma 5 . Affine assignments W e first define the assignment of a p ossibly unknown constant within b ounds a, b ∈ R to a (new) v ariable, x p +1 := [ a, b ]: Definition 4. L et X = ( C X , P X ) b e a p erturb e d affine set in M ( n + 1 , p ) × M ( m, p ) and a , b ∈ R . W e define Z = [ [ x p +1 = [ a, b ]] ] X ∈ M ( n + 2 , p + 1) × M ( m, p + 1) with : – c Z i,k = c X i,k for al l i = 0 , . . . , n , k = 1 , . . . , p – c Z 0 ,p +1 = a + b 2 , c Z i,p +1 = 0 for al l i = 1 , . . . , n and c Z n +1 ,p +1 = | a − b | 2 – p Z j,k = p X j,k for al l j = 1 , . . . , m , k = 1 , . . . , p – p Z j,p +1 = 0 for al l j = 1 , . . . , m Or in blo ck matrix form, C Z =       a + b 2 0 C X . . . 0 0 | a − b | 2       , P Z =   0 P X . . . 0   W e car r y o n by addition, or more precisely , the op eration interpreting the assignment x p +1 := x i + x j and adding new v ar iable x p +1 to the a ffine set: Definition 5. L et X = ( C X , P X ) b e a p erturb e d affine set in M ( n + 1 , p ) × M ( m, p ) . We define Z = [ [ x p +1 = x i + x j ] ] X = ( C Z , P Z ) ∈ M ( n + 1 , p + 1) × A Zonotopic F ramew ork for F unctional A bstractions 13 M ( m, p + 1) by C Z =   C X c X 0 ,i + c X 0 ,j . . . c X n,i + c X n,j   and P Z =   P X p X 1 ,i + p X 1 ,j . . . p X m,i + p X m,j   . Finally , w e give a meaning to the interpretation of assignments of the form x p +1 := λx i , for λ ∈ R : Definition 6. L et X = ( C X , P X ) b e a p erturb e d affine set in M ( n + 1 , p ) × M ( m, p ) . We define Z = [ [ x p +1 = λx i ] ] X = ( C Z , P Z ) ∈ M ( n + 1 , p + 1 ) × M ( m, p + 1) by C Z =   C X λc X 0 ,i . . . λc X n,i   and P Z =   P X λp X 1 ,i . . . λp X m,i   . W e can prove the correctness of our a bstract s eman tics : Lemma 7. Op er ations X → [ [ x p +1 = [ a, b ]] ] X , X → [ [ x p +1 = x i + x j ] ] X and X → [ [ x p +1 = λx i ] ] X ar e incr e asing over p erturb e d affine sets. Mor e over these thr e e op er ations do not intr o duc e over-appr oximations. Proof. Suppos e w e are given t w o pe r turbed affine sets X and Y suc h that X ≤ Y . First, for constant a ssignmen ts, we hav e, for all t ∈ R p +1 : k ( C [ [ x p +1 =[ a,b ]] ] X − C [ [ x p +1 =[ a,b ]] ] Y ) t k 1 = k ( C X − C Y ) t k 1 ≤ k P Y t k 1 − k P X t k 1 ≤ k P [ [ x p +1 =[ a,b ]] ] Y t k 1 − k P [ [ x p +1 =[ a,b ]] ] X t k 1 which shows monotonicit y of X → [ [ x p +1 = [ a, b ]] ] X The concretisa tion of [ [ x p +1 = [ a, b ]] ] X is obviously exa ct. Now for addition of v a riables, we hav e, for all t ∈ R p +1 : k ( C [ [ x p +1 = x i + x j ] ] X − C [ [ x p +1 = x i + x j ] ] Y ) t k 1 = = P n l =0 | P p +1 k =0 ( c [ [ x p +1 = x i + x j ] ] X l,k − c [ [ x p +1 = x i + x j ] ] Y l,k ) t k | = P n l =0 | P p k =0 ( c X l,k − c Y l,k ) t k + ( c X i,k + c X j,k ) t p +1 | = k ( C X − C Y ) t ( t 1 , . . . , t i + t p +1 , . . . , t j + t p +1 , . . . , t p ) k 1 ≤ k P Y t ( t 1 , . . . , t i + t p +1 , . . . , t j + t p +1 , . . . , t p ) k 1 −k P X t ( t 1 , . . . , t i + t p +1 , . . . , t j + t p +1 , . . . , t p ) k 1 = k P [ [ x p +1 = x i + x j ] ] Y t k 1 − k P [ [ x p +1 = x i + x j ] ] X t k 1 which shows mo no tonicit y of X → [ [ x p +1 = x i + x j ] ] X The concr etisation o f [ [ x p +1 = x i + x j ] ] X is obviously exact. 14 Eric Goubault and Sy lvie Putot And finally , we hav e, for all t ∈ R p +1 : k ( C [ [ x p +1 = λx i ] ] X − C [ [ x p +1 = λx i ] ] Y ) t k 1 = = P n l =0 | P p +1 k =0 ( c [ [ x p +1 = λx i ] ] X l,k − c [ [ x p +1 = λx i ] ] Y l,k ) t k | = P n l =0 | P p k =0 ( c X l,k − c Y l,k ) t k + λc X i,k t p +1 | = k ( C X − C Y ) t ( t 1 , . . . , t i + λt p +1 , . . . , t p ) k 1 ≤ k P Y t ( t 1 , . . . , t i + λt p +1 , . . . , t p ) k 1 −k P X t ( t 1 , . . . , t i + λt p +1 , . . . , t p ) k 1 = k P [ [ x p +1 = λx i ] ] Y t k 1 − k P [ [ x p +1 = λx i ] ] X t k 1 which shows monotonicity o f X → [ [ x p +1 = λx i ] ] X The concretisa tion of [ [ x p +1 = λx i ] ] X is o b vio usly exact. ⊓ ⊔ P ol ynom ial assignments The following o peratio n defines the multiplication of v ariables x i and x j , app ending the res ult to the p erturbe d affine set X . All po lynomial assignments can b e defined using this and the prev io us op erations. Definition 7. L et X = ( C X , P X ) b e a p erturb e d affine set in M ( n + 1 , p ) × M ( m, p ) . We define Z = ( C Z , P Z ) = [ [ x p +1 = x i × x j ] ] X ∈ M ( n + 2 , p + 1) × M ( m + 1 , p + 1 ) by : – c z i,k = c x i,k and c z n +1 ,k = 0 for al l i = 0 , . . . , n and k = 1 , . . . , p – c z 0 ,p +1 = c x 0 ,i c y 0 ,j – c z l,p +1 = c x 0 ,i c y l,j + c x l,i c y 0 ,j for al l l = 1 , . . . , n – c z n +1 ,p +1 = P 1 ≤ r,l ≤ n | c x r,i c y l,j | – p z l,k = p x l,k , p z m +1 ,k = 0 and p z l,p +1 = 0 , for al l l = 1 , . . . , m and k = 1 , . . . , p – p z m +1 ,p +1 = P 1 ≤ r,l ≤ m | p x r,i p y l,j | + P 1 ≤ l ≤ m 0 ≤ r ≤ n | c x r,i p y l,j | + P 1 ≤ r ≤ m 0 ≤ l ≤ n | p x l,i c y r,j | Lemma 8. The op er ation X → [ [ x p +1 = x i × x j ] ] X is incr e asing, and has a c oncr etisation which c ont ains the set of p oints of the form ( x 1 , . . . , x p +1 ) with ( x 1 , . . . , x p ) ∈ γ ( X ) and x p +1 = x i x j . Proof. Let X and Y b e t wo p erturb ed a ffine sets such that X ≤ Y , and let U = [ [ x p +1 = x i × x j ] ] X and T = [ [ x p +1 = x i × x j ] ] Y . W e compute for a ll t ∈ R p +1 : A Zonotopic F ramew ork for F unctional A bstractions 15 k ( C T − C Z ) t k 1 = | P p l =1 ( c Y 0 ,l − c X 0 ,l ) t l +  c Y 0 ,i c Y 0 ,j − c X 0 ,i c X 0 ,j  t p +1 | + P n k =1 | P p l =1 ( c Y k,l − c X k,l ) t l +  c Y 0 ,i c Y k,j + c Y k,i c Y 0 ,j − c X 0 ,i c X k,j − c X k,i c X 0 ,j  t p +1 | + | P n k =1 P n l =1  | c Y k,i c Y k,j | − | c X k,i c X k,j |  t p +1 | ≤ | P n k =0 | P p l =1 ( c Y k,l − c X k,l ) t l | + |  ( c Y 0 ,i − c X 0 ,i ) c Y 0 ,j + c X 0 ,i ( c Y 0 ,j − c X 0 ,j )  t p +1 | + P n k =1 | (( c Y k,j − c X k,j ) c X 0 ,i + c Y k,j ( c Y 0 ,i − c X 0 ,i ) +( c Y k,i − c X k,i ) c Y 0 ,j + c X k,i ( c Y 0 ,j − c X 0 ,j )) t p +1 | + | P n k =1 P n l =1 (( | c Y k,i | − | c X k,i | ) | c Y l,j | + | c X k,i | ( | c Y l,j | − | c X l,j | )) t p +1 | ≤ k P Y t k 1 − k P X t k 1 +  P n l =0 | c Y l,j |   P n k =0 | c Y k,i − c X k,i |  | t p +1 | +  P n k =0 | c X k,i |   P n l =0 | c Y l,j − c X l,j |  | t p +1 | But X ≤ Y so π i ( X ) ≤ π i ( Y ) and π j ( X ) ≤ π j ( Y ). Ther efore,  P n k =0 | c X k,i |   P n l =0 | c Y l,j − c X l,j |  ≤ k π i ( C X ) k 1  k π j ( P Y ) k 1 − k π j ( P X ) k 1  and,  P n l =0 | c Y l,j |   P n k =0 | c Y k,i − c X k,i |  ≤ k π j ( C Y ) k 1  k π i ( P Y ) k 1 − k π i ( P X ) k 1  Hence, k ( C T − C Z ) t k 1 ≤ k P Y t k 1 + k π i ( C X ) k 1 k π j ( P Y ) k 1 | t p +1 | + k π j ( C Y ) k 1 k π i ( P Y ) k 1 | t p +1 | −k P X t k 1 − k π i ( C X ) k 1 k π j ( P X ) k 1 | t p +1 | −k π j ( C Y ) k 1 k π i ( P X ) k 1 | t p +1 | ≤ k P Y t k 1 +  k π i ( C X − X Y ) k 1 + k π i ( C Y ) k 1  k π j ( P Y ) k 1 | t p +1 | + k π j ( C Y ) k 1 k π i ( P Y ) k 1 | t p +1 | −k P X t k 1 − k π i ( C X ) k 1 k π j ( P X ) k 1 | t p +1 |  k π j ( C X − C Y ) k 1 + k π j ( C X ) k 1  k π i ( P X ) k 1 | t p +1 | ≤ k P Y t k 1 + ( k π i ( P Y ) k 1 k π j ( P Y ) k 1 + k π i ( C Y ) k 1 k π j ( P Y ) k 1 + k π j ( C Y ) k 1 k π i ( P Y ) k 1 ) | t p +1 | −k P X t k 1 + ( k π i ( P X ) k 1 k π j ( P X ) k 1 − k π i ( C X ) k 1 k π j ( P X ) k 1 −k π j ( C X ) k 1 k π i ( P X ) k 1 ) | t p +1 | Hence the re s ult, since precisely: p z m +1 ,p +1 = X 1 ≤ r,l ≤ m | p x r,i p y l,j | + X 0 ≤ r ≤ n, 1 ≤ l ≤ m | c x r,i p y l,j | + X 0 ≤ l ≤ n, 1 ≤ r ≤ m | p x l,i c y r,j | is also equal to k π i ( P X ) k 1 k π j ( P X ) k 1 + k π i ( C X ) k 1 k π j ( P X ) k 1 + k π j ( C X ) k 1 k π i ( P X ) k 1 16 Eric Goubault and Sy lvie Putot Finally , the fact that the image of x p +1 contains all the pro ducts x i × x j is trivial. ⊓ ⊔ 4.5 The jo i n op erator W e first reca ll the definitio n o f a minimal upp er b ound or mub : Definition 8. L et ⊑ b e a p artial or der on a s et X . We say that z is a mub of two elements x, y of X if and only if – z is an upp er b ound of x and y , i.e. x ⊑ z and y ⊑ z , – fo r al l z ′ upp er b ound of x and y , z ′ ⊑ z implies z = z ′ . W e give b elow an exa mple of such mubs on p erturb ed a ffine sets. Example 1. Consider X =  1 + ε 1 1 + ε 1  Y =  1 + 2 ε 1 1 + 2 ε 1  Z =  1 + 1 . 5 ε 1 + 0 . 5 η 1 1 + 1 . 5 ε 1 + 0 . 5 η 1  Z is a mub for X a nd Y , given by a “midp oin t” formula. This gives us a n idea on ho w to find, in O (( n + m ) p ) time, a m ub in so me cases, or a tight upper b ound, in all case s : Lemma 9. L et X = ( C X , P X ) and Y = ( C Y , P Y ) b e two p erturb e d affine sets in M ( n + 1 , p ) × M ( m, p ) . U pp er b oun ds Z = ( C Z , P Z ) of X and Y s atisfy : ∀ t ∈ R p , k P Z t k 1 ≥ 1 2  k ( C Y − C X ) t k 1 + k P X t k 1 + k P Y t k 1  (4) When γ lin ( P X ) = γ lin ( P Y ) , ther e exists a mub Z with P Z satisfying (4) with e quality; it is define d by Z = ( C Z , P Z ) ∈ M ( n + 1 , p ) × M ( m + n + 1 , p ) with: – c Z i,k = 1 2  c X i,k + c Y i,k  for al l i = 0 , . . . , n , k = 1 , . . . , p – p Z j +1 ,k = 1 2 ( c X j,k − c Y j,k ) for al l j = 0 , . . . , n , k = 1 , . . . , p – p Z n + j +1 ,k = p X j,k for al l j = 1 , . . . , m , k = 1 , . . . , p Proof. W e b egin by showing the following: let X = ( C X , P X ) and Y = ( C Y , P Y ) tw o p erturb ed a ffine sets in M ( n + 1 , p ) × M ( m, p ). Minimal upp er bo unds Z = ( C Z , P Z ) of X and Y satisfy: ∀ t ∈ R p , k P Z t k 1 ≥ 1 2  k ( C Y − C X ) t k 1 + k P X t k 1 + k P Y t k 1  (5) As X ≤ Z and Y ≤ Z , we have, for all t ∈ R p : k ( C Z − C X ) t k 1 ≤ k P Z t k 1 − k P X t k 1 (6) k ( C Z − C Y ) t k 1 ≤ k P Z t k 1 − k P Y t k 1 (7) A Zonotopic F ramew ork for F unctional A bstractions 17 So, k ( C Y − C X ) t k 1 ≤ k ( C Z − C Y ) t k 1 + k C Z − C X ) t k 1 ≤ 2 k P Z t k 1 − k P X t k 1 − k P Y t k 1 Therefore we have ineq ualit y 5 . If ever we find Z = ( C Z , P Z ) such that inequality 5 is in fa ct a n e q ualit y , and such that Z is an upp er b ound of X and Y , then we are sure that Z is a m ub. Since whenev er we take another upp e r b ound T o f X a nd Y , T ca nnot po ssibly b e str ic tly less than Z , for k P Z t k 1 − k P T t k 1 ≤ 0 by inequa lit y 5. W e notice that the equation on zonoto pe P Z given by k P Z t k 1 = 1 2  k ( C Y − C X ) t k 1 + k P Y t k 1 + k P X t k 1  trivially realizing inequality 5 as an e q ualit y , can easily b e s olv ed by taking P Z as the Minkowski sum of zonotop es given by C Y − C X , P Y and P X reduced in size by ha lf. An ea sy choice is to make: P Z = 1 2   C Y − C X P X P Y   or an y choice (with less noise symbo ls for instance) giv ing the same zonoto pe, geometrically . Now we hav e found a p otential P Z , we rewr ite inequalities 6 and 7: k ( C Z − C X ) t k 1 ≤ 1 2  k ( C Y − C X ) t k 1 + k P Y t k 1 − k P X t k 1  (8) k ( C Z − C Y ) t k 1 ≤ 1 2  k ( C Y − C X ) t k 1 + k P X t k 1 − k P Y t k 1  (9) In ca se γ lin ( P X ) = γ lin ( P Y ), inequa lities 8 and 9 ca n be made in to equal- ities, c ho osing C Z to hav e e n tries b eing the mean o f the corr esponding en- tries of C X and C Y , exactly rea lizing k ( C Z − C X ) t k 1 = 1 2 k ( C Y − C X ) t k 1 = k ( C Z − C Y ) t k 1 . In that cas e, we ca n choos e for ex a mple P Z =  1 2 ( C Y − C X ) P X  . ⊓ ⊔ W e do not fully dis cuss her e the ge ne r al case, but some intuition is g iv en in Example 3. A g oo d ov er - approximation o f a m ub is given by the a bov e for mula applied to X ′ = ( C X , P U ) a nd Y ′ = ( C Y , P U ), where P U is such tha t γ ( P X ) ∪ γ ( P Y ) ⊆ γ ( P U ). Example 2. Consider now: X =  1 + 2 ε 1 − 1 + ε 1 − 2 ε 2  Y =  3 + ε 1 1 + 2 ε 1 − ε 2  18 Eric Goubault and Sy lvie Putot Using Lemma 9, we find Z =  2 + 1 . 5 ε 1 + η 1 − 0 . 5 η 2 1 . 5 ε 1 − 1 . 5 ε 2 + η 1 + 0 . 5 η 2 + 0 . 5 η 3  which is a mub indeed. It is depicted in Figure 4. Con vergence acceleration The trouble with Lemma 9 is that it may pro duce a lot of new noise symbols, thus being not alwa ys easily applicable. W e thus int ro duce a less refined join op erator, which also very often allows to accelerate fixp o in t conv ergence. F or any interv al i , w e no te mid ( i ) its cen ter. Let α ∧ β denote the minimum of the t wo real num b ers, and α ∨ β their ma x im um. W e define argmin | . | ( α, β ) = { γ ∈ [ α ∧ β , α ∨ β ] , | γ | minimal } Lemma 10. L et X = ( C X , P X ) and Y = ( C Y , P Y ) b e two p erturb e d affine s et s in M ( n + 1 , p ) × M ( m, p ) . We define Z = ( C Z , P Z ) = X ∇ Y ∈ M ( n + 1 , p ) × M ( m + p, p ) by: – c Z 0 ,k = mid ( γ ( π k ( X )) ∪ γ ( π k ( Y ))) for al l k = 1 , . . . , p – c Z i,k = ar gmin | . | ( c X i,k , c Y i,k ) for al l i = 1 , . . . , n , k = 1 , . . . , p – p Z j,k = ar gmin | . | ( p X j,k , p Y j,k ) for al l j = 1 , . . . , m , k = 1 , . . . , p – p Z m + j,j = sup γ ( π j ( X )) ∪ γ ( π j ( Y )) − sup γ  c Z 0 ,j + P n i =1 c Z i,j ε j + P m i =1 p Z i,j η j  for al l j = 1 , . . . , p – p Z m + j,k = 0 for al l j, k = 1 , . . . , p with j 6 = k Then Z is an upp er b ound of X and Y su ch that for al l k = 1 , . . . , p , γ ( π k ( Z )) = γ ( π k ( X )) ∪ γ ( π k ( Y )) Proof. W e prov e that X ≤ Z , the pro perty that γ ( π k ( Z )) = γ ( π k ( X )) ∪ γ ( π k ( Y )) b eing easy to check (by c onstruction!). Now, we want to prove neg a- tivit y , for a ll t ∈ R p of: n X i =0 | p X k =1 ( c Z i,k − c X i,k ) t k | + m X j =1 | p X k =1 p X j,k t k | − m X j =1 | p X k =1 p Z j,k t k | − p X j =1 | p Z m + j,j t j | By the triang ula r inequality , the sum of the first 2 terms is les s or equal to n X i =0 | p X k =1 ( c Z i,k − c X i,k ) t k | + m X j =1 | p X k =1 ( p Z j,k − p X j,k ) t k | then using it ag ain for each sum, is less o r eq ua l to p X k =1 | t k |   n X i =1 | c Z i,k − c X i,k | + m X j =1 | p Z j,k − p X j,k |   A Zonotopic F ramew ork for F unctional A bstractions 19 But we know b y [13], section 3.5.1, where this ope r ator for accela tion of con- vergence was defined, that for a ll k = 1 , . . . , p , P n i =0 | c Z i,k − c X i,k | + P m j =1 | p Z j,k − p X j,k |≤| p Z m + k,k | . So overall, this is less than P p k =1 | p Z m + k,k t k | . ⊓ ⊔ This ∇ o pera tion may b e sub-optimal, but the concre tisations on each a x is (i.e. the immediate concr etisation of a ll progra m v aria bles) are optimal. Also, while its cost o f co mputation is still of O (( n + m ) p ), it ma y produce far less per turbation symbols, and may even kill ov er so me of the central symbols. Example 3. Consider X and Y as defined in Example 2: Z ′ = X ∇ Y =  1 . 5 + ε 1 + 1 . 5 η 1 ε 1 − ε 2 + 2 η 2  Note that (see Figure 4) Z ′ has the smallest po ssible co ncretisations o n the x and y co ordinates: resp ectiv ely [ − 1 , 4 ] and [ − 4 , 4], which is strictly better than what we had with the mub Z in Example 2 (resp ectively [ − 1 , 5] and [ − 5 , 5]). But it do es not s ha re p erturbation no ise symbols, as Z do es, and along directio n t = t ( − 1 , 1), we find Z ′ t = y − x ∈ [ − 6 , 3] which is not as go od as we ha d with Z : Z t ∈ [ − 5 , 1]. In fact, Z and Z ′ are not co mparable under ≤ . But Z ′ is not a m ub, just consider : Z ′′ =  1 . 5 + ε 1 + 0 . 5 η 1 + η 2 ε 1 − ε 2 + η 1 + η 3  W e ca n prove that Z ′′ ≤ Z ′ , and in fact, Z ′′ is a m ub. Z ′′ has the smallest p ossible concretisatio ns on the x and y axes as shown in Figure 4, but Z ′′ t ∈ [ − 5 , 2] which is not as a c c urate as Z t : Z and Z ′′ are also incompar able. Z Z ′ Z ” X Y X x y − 2 − 1 0 1 2 3 4 5 − 5 − 4 − 3 − 2 − 1 0 1 2 3 4 5 Fig. 4. Z a nd Z ′′ are mubs for X and Y , while Z ′ is not 4.6 Kleene-l ik e iteration sc hemes W e first note that we hav e enoug h mubs s o that to hop e for a Kleene-like itera- tion: 20 Eric Goubault and Sy lvie Putot Lemma 11. L et S b e a b ounde d and c ountable dir e cte d set of p erturb e d affine sets all in M ( n + 1 , p ) × M ( m, p ) . Then ther e exists a minimal upp er b ound for S , given by the limit matric es l im u →∞ X u = ( l im u →∞ C u , li m u →∞ P u ) . Proof. W e th us hav e X a p erturb ed affine set and S = { X 0 , . . . , X u , . . . } with X i ≤ X j ≤ x for a ll i , j with i ≤ j . Thus for all t ∈ R p , k ( C j − C i ) t k 1 ≤ k P j t k 1 − k P i t k 1 This entails fir st that ( k P u t k 1 ) u ∈ N is increa sing. Also , a s for all u , X u ≤ X , this means that 0 ≤ k ( C X − C u ) t k 1 ≤ k P X t k 1 − k P u t k 1 , so the sequence ( k P u t k 1 ) u ∈ N is also b ounded by k P X t k 1 . Hence it is conv erg ing for all t . This means a ls o that k ( C j − C i ) t k 1 can b e made as small as wan ted with i and j sufficie ntly big, for all t . Hence, as ( R p , k . k 1 ) is a Banach space, this means that for all t , C u t conv e r ges when u go es to the infinity . This ent ails the conv er gence o f the sequence of ma trices C u in the fi xe d dimension spa ce M ( n + 1 , p ), similar ly for P u in M ( m, p ). Note that this finite dimension requir emen t is necessary . As for p olyhedra, an infinite union of zonotop es might not b e a zonotop e: just think of a zonotop e with a growing num ber of faces, approximating a circle. The fact that the limit matrice s define a minimal upp er b ound is an obvious consequence o f the fac t that the order ≤ is closed in ( M ( n + 1 , p ) × M ( m, p )) 2 , and of basic pr o perties o f limits. ⊓ ⊔ As we have only this form of bo unded completeness , and not inconditional completeness, our iteration schemes will b e para meterized by a large interv al I : as so on as the curr en t iterate le aves I p , we end iter ation by ⊤ . The fo llowing formalize s the iter a tion scheme and stopping criter ion used, parametrized by a join o perato r (for instance, the ∇ op erator defined in Lemma 10): Definition 9. Given an upp er-b ound op er ator U , the U - iter ation scheme for a strict, c ontinuous and incr e asing fun ctional F on p erturb e d affine sets (extende d with a formal ⊥ and ⊤ ), is as fol lows: – Start with X 0 = ⊥ – The n iter ate: X u +1 = X u U F ( X u ) starting with u = 1 • if γ ( X u +1 ) ⊆ γ ( X u ) then stop with X u +1 • if γ ( X u +1 ) 6⊆ I p , then end with ⊤ Note that our semantic oper a tors only produce co n tinuous and increasing functionals F . Also, initial and cyclic unfoldings ar e generally applied on top of this iteratio n scheme, so as to improv e the precision of the analysis, see [8 ,13], and we cut the iteration after a finite time. W e prov e b elow the corre c tnes s o f this scheme and of its stopping criterion. W e also indicate its w orst-ca se complexity: A Zonotopic F ramew ork for F unctional A bstractions 21 Lemma 12. L et F b e a strict, c ont inuous and incr e asing functional on p erturb e d affine sets. Conside r the U -iter ation scheme of Definition 9. Then γ ( X u +1 ) ⊆ γ ( X u ) c an b e che cke d in O ( p ( n + m ) 2 ) time, and gu ar ante es that X u +1 is a p ost-fixe d p oint of F . Proof. W e consider the countable a nd directed set S = { X u | u ∈ N } wher e X u = U u j =0 F j ( ⊥ ). If it is unbo unded, the U -iteration scheme will end up with ⊤ in a finite time. O therwise, apply Lemma 11. Define G = F U I d ; it is contin uo us and G ( l im u →∞ X u ) = l im u →∞ G ( X u ) = l im u →∞ X u , so the limit o f the U -iteration scheme is a fixed-p oint of G , i.e. a p ost-fixed point of F . T he tes t γ ( X u +1 ) ⊂ γ ( X u ), given that X u ≤ X u +1 of course, is enoug h for chec king if w e reached the limit. W e hav e already prov en that if the stopping criterio n is corr e ct, then the U - iteration scheme con verges to w ards ⊤ or towards a p ost-fixed po in t of F , in practise in finite time, since we alw ays cut the iteration scheme after a fixed nu m be r of iterations. Suppo se we apply our sto pping criterio n, i.e. γ ( X u +1 ) ⊆ γ ( X u ). But we have also X u ≤ X u +1 . Then for all t ∈ R p , k C X u +1 t k 1 − k C X u t k 1 ≤ k P X u +1 t k 1 − k P X u t k 1 k ( C X u +1 − C X u ) t k 1 ≤ k P X u +1 t k 1 − k P X u t k 1 Adding these tw o inequa lities together, we find: k C X u +1 t k 1 + k ( C X u +1 − C X u ) t k 1 ≤ k C X u t k 1 But the tria ng ular inequality also shows the inv erse inequality , therefor e: k C X u +1 t k 1 + k ( C X u +1 − C X u ) t k 1 = k C X u t k 1 So we have a lso: k ( C X u +1 − C X u ) t k 1 ≥ k P X u t k 1 − k P X u +1 t k 1 This implies that for all t ∈ R p , k ( C X u +1 − C X u ) t k 1 = 0 and k P X u t k 1 = k P X u +1 t k 1 , i.e. X u +1 ∼ X u . Hence this implies that if we stop using this crite- rion, then we sto p a t a p ostfixed p oint of F . ⊓ ⊔ In pra ctice, we use the simpler O (( n + m ) p ) time test: ∀ k = 1 , . . . , p , k X u +1 t k k 1 ≤ k X u t k k 1 first, where t k is the vector with all 0 en tries, except at p osition k . It is only when this test is true that w e compute the full test γ ( X u +1 ) ⊆ γ ( X u ). Results on fixed-p oin t computations, and co mpa risons with o ther abstract domains such a s po lyhedra, are describ ed for preliminar y versions of this domain in [8,13]. W e pla n to dev elop them for this do main in a longer version. 22 Eric Goubault and Sy lvie Putot 5 Conclusion and future work W e set up a for ma l framework for a fast and a c curate abstra ct analy sis based on zonotop es. There are several dir ections from there. First o f a ll, w e did not thoroughly detail the b est wa y to c o mpute (minimal) upp er b ounds, this will be done in the long er version. Secondly , as can b e noticed with the ana lysis of function f o f Section 2, the per turbation symbol η 1 can b e asso ciated with the i f statement, with dis- crete v alues {− 1 , 1 } ex pr essing whether the control flow wen t through the true or the false branch. This can be ge neralized to enco de some of the in teres ting (semantical) disjunctive information, necessar y for rea c hing precise inv ariants. Third, a drawback o f our domain is that tests are in g eneral not interpreted. W e are curr en tly thinking of a simple and elegant extens io n, that w o uld allow for computing a ccurate intersections. Last but not least, w e plan to carry on the study initia ted in [1 3]. Giv en a progra m implementing a concrete numerical scheme, o ur abstra c tion gives us a per turbed nu merical sc heme, that can be studied fo r conv er gence s imila rly to the concrete scheme. W e s ta rted with linear recursive filters where we had very go o d results, but this is likely to extend to some non-linear iterative schemes of wide interest. References 1. D. P . Bertsek as, A. N edic, and A. E. O zdaglar. Convex Analysis and Optimization . Athena Scientific, 2003. 2. A. Boua jjani and O. Maler, editors. Computer Aide d V erific ation, 21st Interna- tional Confer enc e, CA V 2009, Gr enoble, F r anc e, June 26 - July 2, 2009. Pr o c e e d- ings , volume 5643 of L e ctur e Notes i n Computer Scienc e . Springer, 2009. 3. R. Chatterjee, B. G. Ryder, and W . A. L an d i. Relev ant context inference. In POPL ’99: Pr o c e e dings of the 26th A CM SIGPLAN-SIGACT symp osium on Principles of pr o gr amming languages , pages 133–146, New Y ork, NY, U SA, 1999. ACM . 4. J. L. D. Com ba and J. Stolfi. Affine arithmetic and its app lica tions to computer graphics. In VI Simp´ osio Br asileir o de Computa c c˜ ao Gr´ afi c a e Pr o c essamento de Imagens (SIBGRAPI’93) , p ages 9–18, 1993. 5. P. Cousot and R . Cousot. G alois connection based abstract interpretations for strictness analysis, invited pap er. In D. Bj o rn er, M. Bro y , and I.V. Pottosi n, edi- tors, Pr o c e e dings of the International Confer enc e on F ormal Metho ds in Pr o gr am- ming and their Applic ations, A c ademgor o dok, Novosibirsk, Rus sia , Lecture Notes in Computer Science 735, pages 98–127. Springer-V erlag, Berlin, Germany , 28 Jun e – 2 July 1993. 6. P. Cousot and R . Cousot. Compositional separate mo dular static analysis of pro- grams by abstract interpretation. I n Pr o c e e dings of the Se c ond I nterna tional Con- fer enc e on A dvanc es i n Inf r astructur e for E-Business, E-Scienc e and E-Educ ation on the Internet, SSGRR 2001 , Compact disk, L’Aqu ila, I taly , 6–12 Au gu st, 2001 2001. Scuola Su periore G. Reiss R omol i. 7. D. Delmas, E. Goubault, S. Putot, J. Souyris, K. T ekk al, and F. V´ edrine. T o w ards an ind ustrial use of flu ctuat on safety-critical avionics soft ware. In T o app e ar in Pr o c e e dings of FMI CS, LNCS 5825 , 2009. A Zonotopic F ramew ork for F unctional A bstractions 23 8. K. Ghorbal, E. Goubault, and S . Putot. The zonotop e abstract domain taylor1+. In CA V ’ 09: Pr o c e e dings of the 21st International Confer enc e on Computer Aide d V erific ation , pages 627–633, Berlin, Heidelb erg, 2009. Springer-V erlag. 9. A. Girard. Reachabilit y of uncertain linear systems using zonotop es. In M. Morari and L. Thiele, editors, HSCC , volume 3414 of L e ctur e Notes in C om pute r Sci enc e , pages 291–305. Springer, 2005. 10. A. Girard and C. Le Guernic. Zonotop e/h yp erplane in tersection for hybrid systems reac h abilit y analysis. In HSC C ’08: Pr o c e e dings of the 11th international workshop on Hybrid Systems , pages 215–228, Berlin, Heidelb erg, 2008. Springer-V erlag. 11. E. Goubau lt and S. Putot. St atic analysis of numerical algorithms. I n Kw angkeun Yi, editor, SAS , volume 4134 of L e ctur e Notes in Computer Scienc e , p ages 18–34. Springer, 2006. 12. E. Goubault and S . Putot. Under- appro ximations of compu tations in real num b ers based on generalized affine arithmetic. In H. R . Nielson and G. Fil´ e, editors, SAS , vol ume 4634 of L e ctur e Notes i n Computer Scienc e , p ages 137–15 2. S p ringer, 2007. 13. E. Goubault and S. Put ot. Perturbed affine arithmetic for inv arian t compu tation in numerical program analysis. CoRR , abs/0807.2 961, 2008. 14. E. Goubault, S. Pu tot, P . Baufreton, and J. Gassino. Static analysis of the accuracy in control systems: Principles and exp eriments. I n S. Leue and P . Merino, editors, FMICS , volume 4916 of L e ctur e Notes i n Computer Scienc e , pages 3–20. Springer, 2007. 15. C. Le Guernic and A. Girard. R eac hability analysis of hybrid systems using sup port functions. In Boua jjani and Maler [2], pages 540–554. 16. L. J. Guibas, A. N guy en, and L. Zhang. Zonotop es as b ounding volumes. I n SODA , pages 803–812, 2003. 17. B. Jeannet and A. Min ´ e. Apron: A library of numerical abstract domains for static analysis. In Boua jjani and Maler [2], pages 661–667. 18. A. Min´ e. A new numerica l abstract domain based on difference-b ound matrices. In P ADO ’ 01: Pr o c e e dings of the Se c ond Symp osium on Pr o gr ams as Data Obje cts , pages 155–172, London, UK, 2001. Springer-V erlag. 19. G. M. Ziegler. L e ctur es on Pol ytop es (up date d seventh printing) . Numb er 152 in Graduate T ex ts in Mathematics. Springer-V erlag, 2007.