Invariant Generation through Strategy Iteration in Succinctly Represented Control Flow Graphs

TL;DR

This paper introduces a novel static analysis technique that computes the strongest possible invariants in template linear constraint domains by strategy iteration, avoiding traditional widening and join operations, with optimal complexity guarantees.

Contribution

It develops a strategy iteration-based method for invariant generation that guarantees the strongest inductive invariants within the domain, improving precision over traditional abstract interpretation techniques.

Findings

Guarantees the strongest inductive invariants within the domain.

Operates with optimal complexity in the second level of the polynomial hierarchy.

Avoids join operators by distinguishing all paths in control flow graphs.

Abstract

We consider the problem of computing numerical invariants of programs, for instance bounds on the values of numerical program variables. More specifically, we study the problem of performing static analysis by abstract interpretation using template linear constraint domains. Such invariants can be obtained by Kleene iterations that are, in order to guarantee termination, accelerated by widening operators. In many cases, however, applying this form of extrapolation leads to invariants that are weaker than the strongest inductive invariant that can be expressed within the abstract domain in use. Another well-known source of imprecision of traditional abstract interpretation techniques stems from their use of join operators at merge nodes in the control flow graph. The mentioned weaknesses may prevent these methods from proving safety properties. The technique we develop in this article addresses both of these issues: contrary to Kleene iterations accelerated by widening operators, it is guaranteed to yield the strongest inductive invariant that can be expressed within the template linear constraint domain in use. It also eschews join operators by distinguishing all paths of loop-free code segments. Formally speaking, our technique computes the least fixpoint within a given template linear constraint domain of a transition relation that is succinctly expressed as an existentially quantified linear real arithmetic formula. In contrast to previously published techniques that rely on quantifier elimination, our algorithm is proved to have optimal complexity: we prove that the decision problem associated with our fixpoint problem is in the second level of the polynomial-time hierarchy.