Características:
C. Análisis documental: está basada en revisión bibliográfica que tiene como
Algorithm 14 presents a procedure αexactV (ϕ) that converges onto an exact represen- tation of ϕ∈ ℘(℘(V )) from below.
Prerequisites The procedure is parameterized by two abstract domains: (G, vG)
for the guards and (U,vU) for the updates. For both domains, we assume Galois
connections (℘(Zn), γG, αG, G) and (℘(Zn), γU, αU, U ). Further, we require that for
each c∈ Zn, there exists g∈ G (resp. u ∈ U) such that c = γ
G(g) (resp. c = γU(u)).1
Then, the disjunctive completion of either G or U is complete w.r.t. to the base semantics expressed using Boolean formulae (cp. [106, Sect. 3.1] and [98]).
Proposition 6.1. Let c1, . . . , cm ∈ Zn and let (L,vL) be the power-set of a finite
complete lattice as defined above. Since there exist l1, . . . , lm ∈ L such that ci= γL(li)
for all i∈ 1, . . . m, we have {c1, . . . , cm} = γL(Wmi=1li) =Smi=1γL(li).
Of course, the reduced product of G and U is complete w.r.t. Boolean formulae, too (or equivalently, ℘(Zn)). In the algorithm, we represent guarded updates using the set T ∈ ℘(G × U). Then, if T = {(g1, u1), . . . , (gm, um)| gi ∈ G, ui ∈ U}, the
concretization of T is interpreted asSm
i=1(γG(gi)∩ γU(ui)).
1All relational domains and also conjunctions of the non-relational ones studied in this dissertation
6.3 Formalization
Iteration The key idea of αV
exact(ϕ) is to find a model m of ϕ that is not covered by
the intermediate resultT (line 3), i.e., m 6∈S
(g,u)∈T(γG(g)∩γU(u)). If such a model
m is found, then the procedure attempts to extend an existing guarded update in T without losing precision. It does so by iterating over all elements (g, u) ∈ T , trying to find one that can be generalized towards (gnew, unew) with g @Ggnew and
u @U unew without sacrificing completeness (lines 5–14), i.e., gnew∧ unew |= ϕ.
The completeness criterion of (gnew, unew) with respect to ϕ is straightforwardly
specified as∀V : (gnew∧ unew)⇒ ϕ as in line 8. However, putting (gnew∧ unew)⇒ ϕ
into CNF introduces fresh, existentially quantified variables T , which gives an equisatisfiable formula ψ such that (gnew∧ unew)⇒ ϕ ≡ ∃T : ψ. Rather than testing
the formula∀V : ∃T : ψ for satisfiability, we observe the following equivalence: ∀V : (gnew∧ unew)⇒ ϕ
⇔ ∀V : ¬(gnew∧ unew)∨ ϕ
⇔ ∀V : (¬gnew∨ ¬unew)∨ ϕ
⇔ ¬∃V : ¬((¬gnew∨ ¬unew)∨ ϕ)
⇔ ¬∃V : gnew∧ unew∧ ¬ϕ
To determine satisfaction of ∀V : (gnew∧ unew)⇒ ϕ, it thus suffices to put gnew∧
unew∧¬ϕ into CNF, which gives an equisatisfiable formula ψ0, and test∃V : ∃T0 : ψ0
for unsatisfiability. Soundness of the input-output relation unewsubject to gnewcomes
for free, as it is derived using abstraction, which entails gnew∧ϕ |= unew. If such a pair
(gnew, unew) that satisfies the completeness criterion is found, the algorithm attempts
to generalize it, i.e., find a guard ggen∈ G with gnew@Gggensuch that completeness
is preserved, i.e.,¬ϕ ∧ ggen∧ unew is unsatisfiable. Otherwise, if the current model
m cannot be combined with an element of T to give a complete approximation of ϕ, we extend T disjunctively (lines 15–17). Observe that for domains (G, vG)
that express ranges, the procedure generalize can be implemented exactly using dichotomic search; this means that for a guard gnew and an update unew, the most
general guard ggen such that gnewvGggen and ggen∧ unew|= ϕ is found.
Reprise and Reflection It is noteworthy that αVexact(ϕ) does not require a formula
ϕ∈ ℘(℘(V )) on input that is equipped with mode constraints. By way of contrast, the abstractions introduced in Chap. 4 require these encodings of mode combinations. This requirement is finessed by computing exact guards and updates in parallel, rather than separately, introducing a fresh disjunction once precision is lost. This strategy thus entails that an exact representation of ϕ is eventually derived, the drawback being that αVexact(ϕ) may be significantly more expensive to compute. Observe too that the procedure is not limited to forward analysis, as it provides formulae that represent direct input-output relations between bit-vectors with the same precision as ϕ does, yet in a human-readable way that does not require the repeated application of a SAT solver to compute the outputs.
6 Complete Transformers
Algorithm 14αV exact
1: T ← {(⊥G,⊥U)}
2: ξ ← ϕ
3: while ξ is satisfiable with model m do
4: success← false
5: foreach (g, u)∈ T do
6: gnew← g tGαVG(m)
7: unew ← αVU(ϕ∧ gnew)
{check for completeness}
8: if ¬ϕ ∧ gnew∧ unew are unsatisfiable then
9: ggen← generalize(ϕ, gnew, unew)
10: T ← T \ {(g, u)} ∪ {(ggen, unew)}
11: success← true 12: break 13: end if 14: end for 15: if ¬success then 16: T ← T ∪ {(αVG(m), αV U(m))} 17: end if 18: ξ← ϕ ∧ ¬(W (g,u)∈T g) 19: end while 20: return T Optimization Procedure αV
exact(ϕ) computes a complete abstractions that cover
all feasible inputs. This approach may lead to a large number of disjuncts (i.e., pairs (g, u)∈ T ), which also depends on the abstract domains used within αVexact(ϕ). When the procedure is implemented within abstract interpretation frameworks to infer definitive counterexample traces, deriving a complete transformer is necessary only for reachable states, an over-approximation of which has already been computed using forward fixed-point iteration. A straightforward optimization that does not affect soundness is thus to restrict αVexact(ϕ) to the sub-range of reachable states. Given states s and s0 on input and output of a block b encoded by ϕ, it is then sufficient to compute αV
exact(ϕ∧ s ∧ s0). This approach is not dissimilar to the
technique of Rival [198, Sect. 2.4], who observed that weakest preconditions are often not sufficiently precise. To finesse this problem, he designed a backward transformer as a monotone transfer function of two arguments: (1) an invariant to refine, and (2) and invariant to propagate backwards. Even though not necessary for correctness, there is also no reason why ϕ could not be augmented with mode constraints so as to simplify the formula and the derivation of a complete abstraction.
6.3 Formalization