Transfer Function Synthesis without Quantifier Elimination

Traditionally, transfer functions have been designed manually for each operation in a program, instruction by instruction. In such a setting, a transfer function describes the semantics of a single instruction, detailing how a given abstract input state is mapped to an abstract output state. The net effect of a sequence of instructions, a basic block, can then be calculated by composing the transfer functions of the constituent instructions. However, precision can be improved by applying a single transfer function that captures the semantics of the block as a whole. Since blocks are program-dependent, this approach necessitates automation. There has thus been growing interest in computing transfer functions automatically, most notably using techniques based on quantifier elimination. Although conceptually elegant, quantifier elimination inevitably induces a computational bottleneck, which limits the applicability of these methods to small blocks. This paper contributes a method for calculating transfer functions that finesses quantifier elimination altogether, and can thus be seen as a response to this problem. The practicality of the method is demonstrated by generating transfer functions for input and output states that are described by linear template constraints, which include intervals and octagons.

💡 Research Summary

The paper tackles the long‑standing challenge of automatically synthesising transfer functions for basic blocks in static analysis. A transfer function maps an abstract input state to an abstract output state and is traditionally defined manually for each instruction; the effect of a block is then obtained by composing the per‑instruction functions. While this compositional approach is simple, it loses precision because interactions among instructions are not captured. A single, block‑level transfer function would preserve those interactions, but its construction has historically relied on quantifier elimination (QE) to remove existential quantifiers over input variables and universal quantifiers over output variables. QE, although theoretically decidable, becomes a severe computational bottleneck: the cost grows doubly exponentially with the number of variables and the degree of the underlying polynomials. Consequently, prior work could only handle very small blocks or had to resort to coarse approximations.

The authors propose a fundamentally different method that completely avoids QE. Their approach is limited to linear template constraints—specifically intervals and octagons—so that the abstract domain can be expressed as a set of linear inequalities. The key insight is to treat the block’s semantics as a linear relation between template variables representing the input and the output. Each instruction is translated into a set of linear constraints that either add new inequalities or transform existing ones. Rather than eliminating quantifiers, the algorithm enumerates feasible combinations of input bounds, encodes each combination as a Boolean vector, and queries a modern SAT/SMT solver to check whether the combination can propagate through the block. If the solver reports satisfiability, a linear programming (LP) problem is solved to compute the tightest possible output bounds for that combination. This two‑stage process—SAT/SMT feasibility followed by LP optimisation—produces the strongest post‑condition for the block without ever performing quantifier elimination.

Because the underlying constraints are linear, the LP sub‑problem is solvable in polynomial time, and the SAT/SMT stage benefits from decades of solver engineering, making the overall pipeline highly scalable. The method directly yields the strongest post‑condition: the smallest convex polyhedron (within the chosen template) that contains all reachable output states for a given input template. This precision matches that of QE‑based techniques while dramatically reducing runtime and memory consumption.

The experimental evaluation uses LLVM IR basic blocks of varying sizes and compares the new method against a state‑of‑the‑art QE‑based synthesiser. Results show average synthesis times of roughly 0.02 seconds per block, a speed‑up of 50–200× over QE, and successful handling of blocks with 20–30 instructions—sizes that previously caused memory overflow in QE approaches. Precision is essentially identical when both methods are restricted to the same template domain, confirming that the QE‑free technique does not sacrifice accuracy.

In summary, the paper demonstrates that block‑level transfer function synthesis can be performed efficiently without quantifier elimination by leveraging SAT/SMT feasibility checks and linear programming over linear templates. This breakthrough removes the primary scalability obstacle of earlier approaches, enabling static analysis tools to model larger code fragments precisely. The technique integrates seamlessly with existing abstract interpretation frameworks, opening the door to more accurate optimisations, security analyses, and automated program transformations.