1. Lifting Abstract Interpreters to Quantified Logical Domains (POPL’08)
Presented by
M.Raveendra Kumar
Some of the slides adopted from author’s presentations

2. Motivating Example a[0] = 0; for (i=1; i<n; i++) a[i] = 0;
Post condition:
i  n  a[0] = 0
"At past POPLs, we've seen fairly powerful domains for reasoning using LA+UFS and the like. When applied to this example, those domains give poor results. ... The problem arises because they can only refer to a bounded number of locations (variables for example). To state a fact about every array element, we need quantifiers." Say loop unrolled for explanatory purposes.
 k (0 ≤ k < i  a[k] = 0)
Invariant:
1 ≤ i < n  k (0 ≤ k < i  a[k] = 0)

3. How are Quantifiers Useful?
Reasoning about arrays
k (0 ≤ k < STRLEN(s)  s[k]  '!')
j, k (0 ≤ j < k < n  a[j] ≤ a[k])
Reasoning about pointer-based data structures
u (R(hd, u)  R(u, tl)  udata = 0) means list is initialized from hd to tl
Security properties
Sorting
"There are many other places where quantifiers are useful." u v
R(u, v)

4. Outline Logical AI Quantified abstract domain Abstract interpretation
Partial order
Templates & Quantifier introduction
Abstract interpretation
Join
Transformers
Soundness & correctness
Termination
Under-approximation algorithms

5. Logical Abstract Interpretation
Logical Abstract Interpretation refers to the case when
D = logical formulas over theory T
⊑ = logical implication relationship, i.e., E ⊑ E’ iff E ⟹T E’
We will examine following examples of logical interpretation
D consists of finite conjunctions of atomic facts over T.
Combination of Linear Arithmetic and Uninterpreted Functions
D consists of universally quantified formulas over T which is our main topic
Abstract Interpretation of a program involves interpreting the program over abstract values from some abstract domain D equipped with a partial order ⊑

6. Transfer Functions for Logical A.I
G =Postcondition(y := e, G’)
= ⌈ ∃y’: G’[y’/y] ⋀ y=e[y’/y] ⌉
y := e G’
Assignment Node
G =Join(G1,G2)
= ⌈G1⋁G2⌉ G2 G1
Join Node
G2 = G’⋀¬:g g
True
False G’
G1 = G’⋀ g
Conditional Node
An abstract interpreter computes abstract values or facts at each program point from facts at preceding program points using appropriate transfer fns.
TFs for a logical AI thus involve providing operators for over-approximating disjunction and existential quantifier elimination.

7. Quantified Domain

8. Lattice element 𝐺=𝛦 ⋀ 𝑗=1 𝑛 ∀𝑈 𝑗 ( 𝐹 𝑗 ⇒ 𝑒 𝑗 )
𝐺=𝛦 ⋀ 𝑗=1 𝑛 ∀𝑈 𝑗 ( 𝐹 𝑗 ⇒ 𝑒 𝑗 )
G is an element of quantified domain 𝓓⩝
E , Fj , and ej are quantifier free facts from conjunctive domains 𝓓𝓪, 𝓓𝓫, and 𝓓𝓬.
These “base” domains are parameters to quantified domain.
Partial order, join operator and TFs of quantified defined in terms of “base” domain operators.
Conjunctive domains : each domain element is a conjunction of automatic facts of form p(t1,….tn) or its negation. P can be predicate such as =, <, or reachability.

9. Concreate Semantics A program state 𝜌∈ 𝛾 𝒟 ∀ 𝐺 iff,
𝜌∈ 𝛾 𝒟 𝑎 𝐸 , and
For every 𝑖, if 𝜌 ′ is an extension of state 𝜌 with assignment to variables in 𝑈 𝑖 such that 𝜌 ′ ∈ 𝛾 𝒟 𝑏 𝐹 𝑖 , then, 𝜌 ′ ∈ 𝛾 𝒟 𝑐 𝑒 𝑖
In going forward we use “base” domains 𝒟 ≔𝒟 𝑎 = 𝒟 𝑏 = 𝒟 𝑐

10. Running Example a[0] = 0; for (i=1; i<n; i++) a[i] = 0; .. i = 0; a
Program State .. a i 3 n 50

11. Partial order (⊑⩝) Ideal partial order : G1 ⊑⩝ G2 if G1 ⟹⩝ G2 Issues
Depends on base domain partial order
Induction to prove implication
Things to say: (1) Implication is ideal order, but we are incomplete; stuff like induction is not handled. (2) Second rule is analogous to function subtyping (since B in a negative position). (3) We use environment in doing subtyping rule. Say I'll assume in rest of presentation that we use one base domain. Also, all examples are with one quantifier, but in general we support many.

12. Partial order definition
E  U.(F  e) ⊑⩝ E'  U.(F'  e')
if E ⊑ E'
E 
e ⊑e' 2.
U.(F  e)
U. (F'  e')
Things to say: (1) Implication is ideal order, but we are incomplete; stuff like induction is not handled. (2) Second rule is analogous to function subtyping (since B in a negative position). (3) We use environment in doing subtyping rule. Say I'll assume in rest of presentation that we use one base domain. Also, all examples are with one quantifier, but in general we support many.
E 
F' ⊑ F

13. ⊑ ∀ Example 𝑖=1 ⋀∀𝑘 𝑘=0 ⟹𝐴 𝑘 =0 1≤𝑖≤2⋀∀𝑘 0≤𝑘<𝑖 ⟹𝐴 𝑘 =0 𝑖=1⊑1≤𝑖≤2
𝑖=1∧0≤𝑘<𝑖⊑𝑘=0
𝑖=1∧𝐴 𝑘 =0 ⊑𝐴[𝑘]=0

14. Example ⊑ .. a .. a 0 ≤𝑖<3 ∧ ∀𝑘(0≤𝑘<𝑖⇒𝑎 𝑘 =0).. a
0 ≤𝑖<3 ∧ ∀𝑘(0≤𝑘<𝑖⇒𝑎 𝑘 =0) ⊑ .. a
0 ≤𝑖<4 ∧ ∀𝑘(0≤𝑘<𝑖⇒𝑎 𝑘 =0)

15. Abstract Interpreter - Overview
Quantifier introduction
Templates
Move facts from environment into quantified fact
Join computes ⌈⋁⌉ of two quantified facts which involves ⌊⋀⌋ of their quantifier guards
Assignment transfer function
∃ quantifier elimination
Conditional transfer functions
Termination

16. Quantifier Introduction
Quantified facts are drawn from standard facts in E
User gives set of templates to guide quantification
Experiments show that few templates are needed
b[0] = 0
b[0] ≤ b[1]
k (k = 0  b[k] = 0)
j, k (j = 0  k = 1  b[j] ≤ b[k])
Env fact
Template
Quantified fact (result)
A[*] = c
Can think of templates as defn of RHS domain.
b[0] = 0
k(k = 0  b[k] = 0)
A[*] ≤ A[*]
b[0] ≤ b[1]
j, k (j = 0  k = 1  b[j] ≤ b[k])

17. Join
Ideal Join : GL⋁GR GL GR

18. Not in the desired quantified fact form
Ideal Join
GL= EL  V.(FL  eL) ⊔⩝
GR = ER  V.(FR  eR)
EL  ¬ER ⟹ FL
¬EL  ER ⟹ FR
EL  ER ⟹ FLFR
Not in the desired quantified fact form
Valuations for quantified vars (FL,FR)
Valuations to Environment Vars (EL,ER)

19. Join G⩝ GL⋁GR GL GR Soundness : GL ⟹ G⩝ and GR ⟹ G⩝
Completeness : if G# s.t GL ⊑⩝ G# and GR ⊑⩝ G#, then G⩝ ⊑⩝ G#

20. Joining Quantifiers Result must be above both inputs in ⊔⩝, so:
Goal: (EL  U.(FL  eL)) ⊔⩝ (ER  U. (FR  eR))
Result must be above both inputs in ⊔⩝, so:
EL  U.(FL  eL) ⊑⩝ E  U.(F  e)
ER  U.(FR  eR) ⊑⩝ E  U.(F  e)
Based on ⊑⩝ definition:
1. EL ⊑ E and ER ⊑ E
so E = EL ⊔ ER 2.
EL  eL ⊑ e
ER  eR ⊑ e
U.(FL  eL)
F. (F  e)
U.(FR  eR)
EL  F ⊑ FL
ER  F ⊑ FR

21. Joining Quantifiers e = (EL  eL) ⊔ (ER  eR) Rewriting for F:
U.(FL  eL)
F. (F  e)
EL  eL ⊑ e
EL  F ⊑ FL
U.(FR  eR)
ER  eR ⊑ e
ER  F ⊑ FR
e = (EL  eL) ⊔ (ER  eR)
Rewriting for F:
Best solution for F = (EL  FL)  (ER  FR)
If it's not in domain, pick best under-approximation
F ⊑ EL  FL and F ⊑ ER  FR
Why ?
Mention near end at that it's really interesting! "One of the main contributions of this paper is to identify under-approx as the core of the quantification problem. It's used in all our transfer functions.“
F and E implies F i.e. F implies E implies F
or, F ⊑ EL  FL and F ⊑ ER  FR

22. Quantified Join Algorithm
Join⩝ (EL  ⋀iUi.(FiL  eiL)) ⊔⩝ (ER  ⋀i Ui. (FiR  eiR)
result := Join𝒟 (EL , ER)
forall i,j
F = ⌊ EL  FiL ⋀ ER FiR ⌋
e = Join𝒟 (EL ⋀ eiL, ER ⋀ eiR)
result := result ⋀ U(F  e )
return result;

23. ⊔ ∀ Join - Example 𝑖=1 ⋀∀𝑘 𝑘=0 ⟹𝐴 𝑘 =0 𝑖=2 ⋀∀𝑘 0≤𝑘<1 ⟹𝐴 𝑘 =0
𝑖=1⊔𝑖=2≈1≤𝑖≤2
𝑖=1⇒𝑘=0 ∧𝑖=2 ⇒0≤𝑘<1 ≈0≤𝑘<𝑖
𝑖=1∧𝐴 𝑘 =0 ⊔𝑖=2∧𝐴 𝑘 =0≈𝐴 𝑘 =0
Requires Abduction

24. AI Example A[0] := 0; i := 1 i < n T F A[i] := 0; i := i+1 true
i = 1  A[0] = 0 ?
i = 2  A[0] = 0  A[1] = 0 ?
i = 1  A[0] = 0 ?
i < n
Issue: This sort of assumes 1 < n T F ?
i = 1  A[0] = 0 ?
A[i] := 0; i := i+1 24

25. AI Example A[0] := 0; i := 1 Join Algorithm i < n i < n T T F F
true
A[0] := 0; i := 1
Join Algorithm
i = 1  A[0] = 0
i = 1  A[0] = 0
i = 2  A[0] = 0  A[1] = 0
i = 1  A[0] = 0
i = 1  A[0] = 0
i = 1  A[0] = 0
i = 2  A[0] = 0  A[1] = 0
i < n
i < n
i = 1  A[0] = 0
Issue: This sort of assumes 1 < n T T F F
1  i  2  A[0] = 0 ?
i = 1  A[0] = 0
A[i] := 0; i := i+1 25

26. AI Example A[0] := 0; i := 1 Join Algorithm i < n i < n T T F F
true
A[0] := 0; i := 1
Join Algorithm
i = 1  A[0] = 0
i = 1  A[0] = 0
i = 2  A[0] = 0  A[1] = 0
i = 1  A[0] = 0
i = 2  A[0] = 0  A[1] = 0
i = 1  A[0] = 0
i = 1  A[0] = 0
i = 1 
k(k = 0  A[k] = 0)
i = 2 
k(0  k  1  A[k] = 0)
i < n
i < n
i = 1  A[0] = 0
Issue: This sort of assumes 1 < n T T F F ?
i = 1  A[0] = 0
1  i  2  k(0  k < i  A[k] = 0)
A[i] := 0; i := i+1 26

27. AI Example A[0] := 0; i := 1 i < n T F A[i] := 0; i := i+1 true
k(0  k < i  A[k] = 0)
i = 1  k(k = 0  A[k] = 0)
1  i  k(0  k < i  A[k] = 0)
i < n T F
1  i < n 
k(0  k < i  A[k] = 0)
i  n 
k(0  k < i  A[k] = 0)
A[i] := 0; i := i+1 27

28. Assignment Transfer function
Eliminate 𝓵

29. Assignment TF Key observation :
If G is quantified fact before assignment statement y := exp
and G’ = Eliminate⩝(G, y) is fact after eliminating y from G
Then G ⊑⩝ G’
For a moment assume y does not effect terms involving quantifier variables.
E ⇒ E’ , therefore E’ = Eliminate(E, y)
E ⋀ F’ ⇒ F, therefore F’ = ⌊⩝y(E ⇒ F)⌋
E ⋀ e ⇒ e’, therefore e’ = Eliminate(E ⋀ e, y)

30. Assignment TF - Eliminate⩝
Eliminate ⩝(G, y):
Let G be E ⋀ ⩝U(F ⇒ e)
T := { t | t occurs in F or e; Vars(t) ∩ U  ∅ }
F := F ∧ ⋀t∈TNotEffect(<y,G>, t);
E’ := EliminateD(E,y);
e’ := EliminateD(e∧E,y);
F’ := ⩝y(E⇒F)
return (E’ ⋀ ⩝U(F’ ⇒ e’))
NotEffect(<y,G>, t) denotes a constraint g s.t. G ∧ g implies that y does not affect t.

31. Eliminating ∃ Fix F : Eliminate affected instances
Fix F : Eliminate y from F
Fix e : Eliminate y from e – Provided by base domain
Fix E : Eliminate y from E – Provided by base domain

32. Remove affected instances
{G ∶=∀𝑖(0≤𝑖 <10⇒𝐴 𝑖 =0)}
s: A[0] = 1
{G ′ ∶=?}
Remove only instances that are impacted and leave the rest as is
𝐹 ′ =0≤𝑖 <10 𝑖 ≠0

33. Eliminate y from F {G ∶=𝑖≥𝑛 ∧ ∀𝑘 0≤𝑘<𝑖⇒𝐴 𝑘 =0 } s : 𝑖=0 G ′ ∶=?
Removing i from the guard (and E) is not sound (why ??)
Solution: Under approximate universal quantification
𝐹′⇒∀𝑖 𝐸⇒𝐹
𝐹 ′ =⌊∀𝑖(𝑖≥𝑛⇒ 0≤𝑘<𝑖) ⌋
𝐹 ′ ≔ 0≤𝑘<𝑛

34. Example
Let G = (F[0]>10 ∧⩝k: 0·k<F[0] ⇒ F[k]>F[0] ) Then Eliminate ⩝(G, F[0]) = true ∧ ⩝k: F’⇒ e’, where T = { k, F[k] } NotEffect(<F[0],G>, F[k]) = k0 NotEffect(<F[0],G>, F[k]) = true F1 = 0·k<F[0] ∧ k  0 ∧ true = 1≤k<F[0] F’ = ⌊⩝F[0]: F[0]>10 ⇒ 1·k<F[0]⌋ = 1 ≤ k<10 e’ = Eliminate(F[k]>F[0] ∧ F[0]>10, F[0]) = F[k]<10

35. Widening and termination
Look at the paper

36. Under-approximation of Operators
We need Under-approximation operators for
⌊⋀⌋ during join operation
⌊⋁⌋ during quantifier merging (not covered)
⌊⩝⌋ during quantifier elimination
Issues
Under-approximation results should be in conjunctive domain.
Under-approximations should be in the context of environment and two inputs may different inputs. ⩝

37. Solution - Abduction
Process of reasoning of a fact (observations) with assumptions given a set of assumed facts (knowledge).
F = abduct( E,F’) where F’ is a given base fact; formally E ∧ F ⇒ F’
⌊⋀⌋((F1,E1),(F2,E2)) := abduct(E1,F1) ∩ abduct(E2,F2)

38. ⌊⋀⌋ Algorithm F’’ = ⌊⋁⌋ ((F1∧E1),(F2 ∧ E2)) F = ∧ ((F1,E1),(F2,E2))

39. Example Example 2 𝐸 1 ≔𝑖=1 𝐹 1 ≔𝑗=0 𝐸 2 ≔𝑖=2 𝐹 1 ≔0 ≤𝑗<2
𝐸 1 ≔𝑖=1 𝐹 1 ≔𝑗=0
𝐸 2 ≔𝑖=2 𝐹 1 ≔0 ≤𝑗<2
Ans : 0 ≤𝑗<𝑖

40. Abduction
Key Observation

41. ⌊⩝⌋ Algorithm
Key Observation