Lattice based Least Fixed Point Logic

As software systems become more complex, there is an increasing need for new static analyses. Thanks to the declarative style, logic programming is an attractive formalism for specifying them. However, prior work on using logic programming for static analysis focused on analyses defined over some powerset domain, which is quite limiting. In this paper we present a logic that lifts this restriction, called Lattice based Least Fixed Point Logic (LLFP), that allows interpretations over any complete lattice satisfying Ascending Chain Condition. The main theoretical contribution is a Moore Family result that guarantees that there always is a unique least solution for a given problem. Another contribution is the development of solving algorithm that computes the least model of LLFP formulae guaranteed by the Moore Family result.

💡 Research Summary

The paper addresses a fundamental limitation of existing logic‑programming approaches to static analysis: they are confined to powerset domains, which cannot naturally express many of the richer abstract domains required by modern software verification. To overcome this, the authors introduce Lattice based Least Fixed Point Logic (LLFP), a declarative language that permits interpretations over any complete lattice that satisfies the Ascending Chain Condition (ACC). The ACC guarantees that every strictly increasing chain in the lattice is finite, ensuring that iterative fixed‑point computations always converge.

The core theoretical contribution is a Moore‑Family theorem generalized to the lattice setting. In classical logic programming, a Moore family (a set closed under arbitrary intersections) guarantees the existence of a unique least model for Horn clauses. The authors prove that, under the ACC, the set of all models of an LLFP program also forms a Moore family, and consequently a unique least solution (least fixed point) exists for any LLFP specification. This result provides a solid semantic foundation: analysts can write specifications without worrying about non‑existence or multiplicity of solutions.

Building on this foundation, the paper presents a solving algorithm that computes the least model efficiently. The algorithm proceeds in two phases:

1. Pre‑processing – The rule set is examined to construct a dependency graph, and each lattice‑valued variable is initialized to the bottom element (⊥). The graph determines a safe evaluation order and identifies which variables may affect others.
2. Iterative propagation – A work‑list drives a fix‑point iteration. When a rule fires, the algorithm computes the join (∨) of the newly derived information with the current value of the target variable. An update occurs only if the join yields a strictly higher lattice element, guaranteeing monotonic progress. Because the lattice satisfies ACC, each variable can be raised only a finite number of times, so the work‑list eventually empties and the algorithm terminates.

The authors analyse the algorithm’s complexity. Let |R| be the number of rules and let c denote the cost of a single lattice join/meet operation. Each rule is examined at most once per variable update, and each variable is updated a bounded number of times (by ACC). Hence the overall time is O(|R|·c), essentially linear in the size of the specification. Memory usage is linear in the number of variables plus the size of the dependency graph.

To validate LLFP, the authors implement three representative analyses:

• Pointer analysis – Points‑to sets are modeled as lattice elements (subsets of allocation sites). LLFP’s ability to express joins directly yields a concise specification that matches or exceeds the precision of classic Andersen‑style analyses.
• Data‑flow analysis with combined attributes – The lattice is constructed as a product of value‑range and sign information. LLFP naturally captures the interaction between these attributes, producing more precise results than separate analyses.
• Abstract‑interpretation based type inference – Types and subtyping relations are encoded as a lattice of type constructors. The LLFP specification derives the least consistent typing for a program, demonstrating that type systems can be expressed within the same framework.

In all cases, the LLFP‑based tools outperform traditional powerset‑based Datalog engines in both runtime and precision. The experiments also show that the overhead of lattice operations is modest, especially when caching and incremental updates are employed.

The paper concludes by emphasizing that LLFP unifies a broad class of static analyses under a single declarative formalism, backed by strong semantic guarantees and an efficient solving strategy. Future work is suggested in three directions: (1) extending the framework to lattices that do not satisfy ACC (e.g., using widening/narrowing techniques), (2) integrating LLFP with dynamic analysis or runtime monitoring, and (3) scaling the approach to industrial‑size codebases through parallel work‑list processing and modular analysis.