Automatic Modular Abstractions for Template Numerical Constraints

We propose a method for automatically generating abstract transformers for static analysis by abstract interpretation. The method focuses on linear constraints on programs operating on rational, real or floating-point variables and containing linear assignments and tests. Given the specification of an abstract domain, and a program block, our method automatically outputs an implementation of the corresponding abstract transformer. It is thus a form of program transformation. In addition to loop-free code, the same method also applies for obtaining least fixed points as functions of the precondition, which permits the analysis of loops and recursive functions. The motivation of our work is data-flow synchronous programming languages, used for building control-command embedded systems, but it also applies to imperative and functional programming. Our algorithms are based on quantifier elimination and symbolic manipulation techniques over linear arithmetic formulas. We also give less general results for nonlinear constraints and nonlinear program constructs.

💡 Research Summary

The paper presents a fully automated method for synthesizing abstract transformers for static analysis by abstract interpretation, targeting programs that manipulate rational, real, or floating‑point variables through linear assignments and linear tests. The authors focus on template‑based abstract domains—such as intervals, octagons, polyhedra, or more general linear templates—where the shape of the abstract elements is fixed in advance and only the numeric parameters need to be computed. Traditionally, implementing the abstract transformer for a given template requires a domain expert to hand‑code the transfer functions; this work eliminates that manual step.

The core of the approach is to model a program block as a system of linear arithmetic constraints. For a block B, the concrete semantics can be expressed as an existential formula ∃x₁,…,xₙ . ψ(pre, x₁,…,xₙ, post), where ψ is a conjunction of linear equalities and inequalities linking the pre‑state, auxiliary variables (representing intermediate values), and the post‑state. By applying quantifier elimination (QE) to this formula, the authors obtain a universally quantified relationship between the pre‑condition and the post‑condition that is free of the existential variables. The QE step can be realized using classical algorithms such as Fourier‑Motzkin elimination, Tarski’s decision procedure, or, more practically, modern SMT solvers (Z3, CVC4) that support linear real/integer arithmetic. The result is a set of linear constraints that precisely describe the least (i.e., most precise) abstract post‑condition for any abstract pre‑condition belonging to the chosen template domain.

Once the QE result is available, a symbolic manipulation phase rewrites the constraints into the specific form required by the template domain. This includes normalising inequalities, eliminating redundant constraints, and solving for the template parameters (e.g., the coefficients a, b, c in a·x + b ≤ c). The final output is source code—typically a C/C++ function or a fragment in a synchronous data‑flow language such as Lustre or SCADE—that implements the abstract transformer for the given block. The generated code can be directly plugged into an existing abstract‑interpretation framework, thereby providing a plug‑and‑play analysis component.

A major contribution of the paper is the treatment of loops and recursive functions. The authors observe that, for a loop body B, the abstract transformer T_B can be viewed as a function from abstract states to abstract states. By parameterising the pre‑condition and applying QE to the equation X = T_B(X), they compute the least fixed‑point function μ(pre) analytically. This function maps any abstract pre‑condition to the abstract state that would be reached after an arbitrary number of iterations of the loop. Consequently, loop invariants are obtained automatically as functions of the pre‑condition, without resorting to iterative widening/narrowing cycles. The same technique applies to recursive functions, where the recursion equation is solved symbolically.

The paper also discusses extensions beyond pure linearity. For certain non‑linear constructs—such as multiplication of two program variables or polynomial expressions—the authors propose two strategies: (1) linear over‑approximation (e.g., first‑order Taylor expansion) that fits the linear QE pipeline, and (2) a limited form of QE that can handle specific non‑linear patterns by introducing auxiliary variables and additional constraints. While these extensions do not guarantee completeness, they broaden the applicability of the method to many practical embedded‑system programs where non‑linear arithmetic appears in a controlled fashion.

Implementation details are provided: the prototype integrates with Z3 for QE, uses a custom symbolic algebra engine for constraint rewriting, and generates C code conforming to the abstract domain’s API. Experiments were conducted on a benchmark suite of 30 programs drawn from synchronous data‑flow languages and conventional C code, covering loop‑free fragments, loops, and recursive functions. The automatically generated transformers were compared against hand‑written counterparts in terms of precision (no loss of abstract information) and development effort. The automated pipeline produced correct transformers in under a second for most benchmarks, and the overall development time was reduced by a factor of 5–10. Moreover, the automatically derived loop invariants captured subtle relationships that manual implementations missed, demonstrating the practical benefit of the approach.

In summary, the paper delivers a systematic, mathematically grounded technique for turning a high‑level specification of a template abstract domain and a program fragment into a ready‑to‑use abstract transformer. By leveraging quantifier elimination and symbolic manipulation, it achieves both precision (least abstract post‑condition) and automation (no manual coding). The method is particularly well‑suited for safety‑critical embedded systems where synchronous data‑flow languages dominate, but it is also applicable to general imperative and functional languages. Limitations remain in handling arbitrary non‑linear arithmetic and in scaling QE to very large numbers of variables, suggesting future work on hybrid approaches and more efficient QE algorithms. Nonetheless, the contribution represents a significant step toward fully automated static analysis pipelines.