Transfer Function Synthesis without Quantifier Elimination

TL;DR

This paper introduces a novel method for synthesizing transfer functions for program analysis that avoids the computational bottleneck of quantifier elimination, enabling efficient handling of linear constraints like intervals and octagons.

Contribution

It presents a new approach to compute transfer functions without quantifier elimination, improving scalability for program analysis involving linear templates.

Findings

Successfully generates transfer functions for linear constraints.

Avoids the computational bottleneck of quantifier elimination.

Applicable to intervals and octagons.

Abstract

Traditionally, transfer functions have been designed manually for each operation in a program, instruction by instruction. In such a setting, a transfer function describes the semantics of a single instruction, detailing how a given abstract input state is mapped to an abstract output state. The net effect of a sequence of instructions, a basic block, can then be calculated by composing the transfer functions of the constituent instructions. However, precision can be improved by applying a single transfer function that captures the semantics of the block as a whole. Since blocks are program-dependent, this approach necessitates automation. There has thus been growing interest in computing transfer functions automatically, most notably using techniques based on quantifier elimination. Although conceptually elegant, quantifier elimination inevitably induces a computational bottleneck, which limits the applicability of these methods to small blocks. This paper contributes a method for calculating transfer functions that finesses quantifier elimination altogether, and can thus be seen as a response to this problem. The practicality of the method is demonstrated by generating transfer functions for input and output states that are described by linear template constraints, which include intervals and octagons.