Goal-directed weakening of abstract interpretation results

Sunae Seo, Hongseok Yang, Kwangkeun Yi, Taisook Han
2007 ACM Transactions on Programming Languages and Systems  
One proposal for automatic construction of proofs about programs is to combine Hoare logic and abstract interpretation. Constructing proofs is in Hoare logic. Discovering programs' invariants is done by abstract interpreters. One problem of this approach is that abstract interpreters often compute invariants that are not needed for the proof goal. The reason is that the abstract interpreter does not know what the proof goal is, so it simply tries to find as strong invariants as possible. These
more » ... nnecessary invariants increase the size of the constructed proofs. Unless the proof-construction phase is notified which invariants are not needed, it blindly proves all the computed invariants. In this article, we present a framework for designing algorithms, called abstract-value slicers, that slice out unnecessary invariants from the results of forward abstract interpretation. The framework provides a generic abstract-value slicer that can be instantiated into a slicer for a particular abstract interpretation. Such an instantiated abstract-value slicer works as a postprocessor to an abstract interpretation in the whole proof-construction process, and notifies to the S. Seo and T. S. Seo et al. next proof-construction phase which invariants it does not have to prove. Using the framework, we designed an abstract-value slicer for an existing relational analysis and applied it on programs. In this experiment, the slicer identified 62%-81% of the computed invariants as unnecessary, and resulted in 52%-84% reduction in the size of constructed proofs. Example 1.1. As an example where abstract interpretation results are stronger than necessary, consider the following assignment sequence with the parity abstract interpretation, which estimates whether each program variable contains an even integer or an odd integer: x := 4x; x := 2x. 1 We explain this further in Section 5. The estimated invariants from the abstract interpretation for variable x are: x := 4x; even x := 2x even . Suppose we are interested in constructing a proof that variable x at the end is an even integer. Then the invariant "even" after the first assignment, which means x is an even integer, is stronger than needed; just is enough. This is because for the second assignment, Hoare triple {true}x := 2x{∃n.x = 2n} can be derived and this triple is enough to construct the intended proof: That is, the following invariants, weaker than the original results, are just enough for our proof goal: x := 4x; x := 2x even . Example 1.2. Similarly, as another example where useless invariants occur in the results of an abstract interpretation, consider the following program, again with the parity abstract interpretation.
doi:10.1145/1286821.1286830 fatcat:afpyhtja6bcq7b3f6jba6pe5ni