Fast Polyhedra Abstract Domain Gagandeep Singh Markus Pschel - - PowerPoint PPT Presentation

Gagandeep Singh Markus Püschel Martin Vechev Department of Computer Science ETH Zurich

Fast Polyhedra Abstract Domain

Polyhedra Domain Analysis

Automatic Discovery of Linear Restraints Among Variables of a Program, POPL’78

Polyhedra Domain Analysis

Automatic Discovery of Linear Restraints Among Variables of a Program, POPL’78

Introduced by Patrick Cousot and Nicolas Halbwachs Represents linear constraints between program variables

Patrick Cousot Nicolas Halbwachs

Polyhedra Domain Analysis

Automatic Discovery of Linear Restraints Among Variables of a Program, POPL’78

Introduced by Patrick Cousot and Nicolas Halbwachs Represents linear constraints between program variables

y ≤ 3

• x ≤ 2

Patrick Cousot Nicolas Halbwachs

Polyhedra Domain Analysis

Polyhedra Domain Analysis

if(*){ y:=2x-1; } else{ y:=2x-2; } assert(y<=2x);

Polyhedra Domain Analysis

if(*){ y:=2x-1; } else{ y:=2x-2; }

Abstract Domain Can Prove the Assertion? Interval ❌ Pentagon ❌ Zones ❌ Octagon ❌ Polyhedra ✅

assert(y<=2x);

Polyhedra Domain Analysis

if(*){ y:=2x-1; } else{ y:=2x-2; }

Abstract Domain Can Prove the Assertion? Interval ❌ Pentagon ❌ Zones ❌ Octagon ❌ Polyhedra ✅

assert(y<=2x);

Polyhedra analysis: time and space exponential in number of variables

This work: contributions

This work: contributions

Online decomposition: reduction in space and time without losing precision

This work: contributions

Online decomposition: reduction in space and time without losing precision Constant factor improvements via reduced operation count and cache optimizations

This work: contributions

Online decomposition: reduction in space and time without losing precision Constant factor improvements via reduced operation count and cache optimizations

elina.ethz.ch

Complete end-to-end implementation

This work: contributions

Online decomposition: reduction in space and time without losing precision Constant factor improvements via reduced operation count and cache optimizations

elina.ethz.ch

Complete end-to-end implementation

Driver NewPolka PPL ELINA

• 500 var
• 39K LOC

OOM (> 12 GB) OOM (> 12 GB) 4 sec 0.9 GB

• 650 var
• 25K LOC

TO (> 4 hr) TO (> 4 hr) 2 sec 0.4 GB

Double Representation of Polyhedron

x1

x2 = 2

x2

𝒟 = {-x2 ≤ -2, x2 ≤ 2x1} m: number of constraints Constraints(⊔) easy with the Generators

Double Representation of Polyhedron

x1

x2 = 2

x2

𝒟 = {-x2 ≤ -2, x2 ≤ 2x1} m: number of constraints

x1 x2

Vertices 𝒲 = {(1,2)}, Rays ℛ = {(1,2), (1,0)}, Lines 𝒶 = ∅ g: number of generators

(1,2) (1,0)

Generators (⊔) easy with the Generators Constraints(⊔) easy with the Generators

Double Representation of Polyhedron

Asymptotic Time Complexity of Polyhedra

Asymptotic Time Complexity of Polyhedra

Operator Constraints Generators Both

Join (⊔) exp(n,m) Ο(𝑜𝑕) Ο(𝑜𝑕) Meet (⊓) Ο(𝑜𝑛) exp(n,g) Ο(𝑜𝑛) Inclusion (⊑) exp(n,m) exp(n,g) Ο(𝑜𝑕𝑛) Assignment Ο(𝑜𝑛2) Ο(𝑜𝑕) Ο(𝑜𝑕) Conditional Ο(𝑜) exp(n,g) Ο(𝑜)

Asymptotic Time Complexity of Polyhedra

Operator Constraints Generators Both

Join (⊔) exp(n,m) Ο(𝑜𝑕) Ο(𝑜𝑕) Meet (⊓) Ο(𝑜𝑛) exp(n,g) Ο(𝑜𝑛) Inclusion (⊑) exp(n,m) exp(n,g) Ο(𝑜𝑕𝑛) Assignment Ο(𝑜𝑛2) Ο(𝑜𝑕) Ο(𝑜𝑕) Conditional Ο(𝑜) exp(n,g) Ο(𝑜) Constraints Generators exp(n,m) exp(n,g)

Key Idea: Online Decomposition

Key Idea: Online Decomposition

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔, 𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐, 𝒚𝟕 = 𝟑}

Polyhedron

Key Idea: Online Decomposition

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔, 𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐, 𝒚𝟕 = 𝟑}

Polyhedron

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔} {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐} {𝒚𝟕 = 𝟑}

Set of factors

Key Idea: Online Decomposition

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔, 𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐, 𝒚𝟕 = 𝟑}

Polyhedron

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔} {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐} {𝒚𝟕 = 𝟑}

Set of factors Partition (𝜌) = set of blocks

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕}

Key Idea: Online Decomposition

working on smaller Polyhedra enables reduction in space and time

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔, 𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐, 𝒚𝟕 = 𝟑}

Polyhedron

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔} {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐} {𝒚𝟕 = 𝟑}

Set of factors Partition (𝜌) = set of blocks

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕}

Permissible Partitions

Permissible Partitions

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔, 𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐, 𝒚𝟕 = 𝟑}

Polyhedron

Permissible Partitions

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔, 𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐, 𝒚𝟕 = 𝟑}

Polyhedron Best (finest) partition (𝜌)

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕}

Permissible Partitions

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔, 𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐, 𝒚𝟕 = 𝟑}

Polyhedron Best (finest) partition (𝜌)

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕} {𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔, 𝒚𝟕}

Permissible partition (𝜌)

Permissible Partitions

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔, 𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐, 𝒚𝟕 = 𝟑}

Polyhedron Best (finest) partition (𝜌)

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕} {𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔, 𝒚𝟕}

Permissible partition (𝜌) Invalid partition

{𝒚𝟐, 𝒚𝟑} {𝒚𝟒, 𝒚𝟓, 𝒚𝟔} {𝒚𝟕}

Permissible Partitions

Definition: A partition 𝜌 is permissible for Polyhedron P, if there are no two variables 𝒚𝒋 and 𝒚𝒌 in different blocks of 𝜌 related by a constraint in P

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔, 𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐, 𝒚𝟕 = 𝟑}

Polyhedron Best (finest) partition (𝜌)

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕} {𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔, 𝒚𝟕}

Permissible partition (𝜌) Invalid partition

{𝒚𝟐, 𝒚𝟑} {𝒚𝟒, 𝒚𝟓, 𝒚𝟔} {𝒚𝟕}

Partition of Variable Set: Summary

Partition of Variable Set: Summary

The set of all partitions of variable set 𝒴 form a lattice ordered by “finer than” (<) relation The best (finest) partition 𝜌𝑄 for Polyhedron P is unique Any 𝜌, s.t., 𝜌𝑄 < 𝜌, is permissible An unconstrained variable 𝑦𝑗 yields a singleton set {𝑦𝑗} in the partition

Partition of Variable Set: Summary

The set of all partitions of variable set 𝒴 form a lattice ordered by “finer than” (<) relation The best (finest) partition 𝜌𝑄 for Polyhedron P is unique Any 𝜌, s.t., 𝜌𝑄 < 𝜌, is permissible An unconstrained variable 𝑦𝑗 yields a singleton set {𝑦𝑗} in the partition Challenge: maintain permissible partitions for > 30 operators

Operator: Conditional

Operator: Conditional

Definition: Let 𝜌 be a partition and ℬ be a block, then 𝜌 ↑ ℬ is the finest partition 𝜌’ such that 𝜌 ⊑ 𝜌’ and ℬ is a subset of an element of 𝜌’ Theorem (finest partition after conditional): If O ≠⊥ and let ℬ be block containing all variables appearing in the conditional, then 𝜌𝑃 = 𝜌𝑄 ↑ ℬ

Operator: Conditional

Definition: Let 𝜌 be a partition and ℬ be a block, then 𝜌 ↑ ℬ is the finest partition 𝜌’ such that 𝜌 ⊑ 𝜌’ and ℬ is a subset of an element of 𝜌’ Theorem (finest partition after conditional): If O ≠⊥ and let ℬ be block containing all variables appearing in the conditional, then 𝜌𝑃 = 𝜌𝑄 ↑ ℬ

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔} {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐} {𝒚𝟕 = 𝟑}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕}

Operator: Conditional

Definition: Let 𝜌 be a partition and ℬ be a block, then 𝜌 ↑ ℬ is the finest partition 𝜌’ such that 𝜌 ⊑ 𝜌’ and ℬ is a subset of an element of 𝜌’ Theorem (finest partition after conditional): If O ≠⊥ and let ℬ be block containing all variables appearing in the conditional, then 𝜌𝑃 = 𝜌𝑄 ↑ ℬ

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔} {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐} {𝒚𝟕 = 𝟑}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕} if( 𝒚𝟑 ≤ 𝟑𝒚𝟓)

Operator: Conditional

Definition: Let 𝜌 be a partition and ℬ be a block, then 𝜌 ↑ ℬ is the finest partition 𝜌’ such that 𝜌 ⊑ 𝜌’ and ℬ is a subset of an element of 𝜌’ Theorem (finest partition after conditional): If O ≠⊥ and let ℬ be block containing all variables appearing in the conditional, then 𝜌𝑃 = 𝜌𝑄 ↑ ℬ

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔} {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐} {𝒚𝟕 = 𝟑}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕}

O 𝜌𝑃

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔, 𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐, 𝒚𝟑 ≤ 𝟑𝒚𝟓} {𝒚𝟕 = 𝟑} {𝒚𝟕} {𝒚𝟐, 𝒚𝟑, 𝒚𝟒, 𝒚𝟓, 𝒚𝟔} if( 𝒚𝟑 ≤ 𝟑𝒚𝟓)

Operator: Conditional

Definition: Let 𝜌 be a partition and ℬ be a block, then 𝜌 ↑ ℬ is the finest partition 𝜌’ such that 𝜌 ⊑ 𝜌’ and ℬ is a subset of an element of 𝜌’ Theorem (finest partition after conditional): If O ≠⊥ and let ℬ be block containing all variables appearing in the conditional, then 𝜌𝑃 = 𝜌𝑄 ↑ ℬ

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔} {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐} {𝒚𝟕 = 𝟑}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕}

O 𝜌𝑃

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔, 𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐, 𝒚𝟑 ≤ 𝟑𝒚𝟓} {𝒚𝟕 = 𝟑} {𝒚𝟕} {𝒚𝟐, 𝒚𝟑, 𝒚𝟒, 𝒚𝟓, 𝒚𝟔} if( 𝒚𝟑 ≤ 𝟑𝒚𝟓) 𝓒 = {𝒚𝟑, 𝒚𝟓}

Operator: Assignment

Operator: Assignment

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔} {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐} {𝒚𝟕 = 𝟑}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕}

Operator: Assignment

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔} {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐} {𝒚𝟕 = 𝟑}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕} 𝒚𝟑∶= 𝟑𝒚𝟓

Operator: Assignment

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔} {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐} {𝒚𝟕 = 𝟑}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕}

O 𝜌𝑃

{𝒚𝟐 ≤ 𝟓, 𝒚𝟐 + 𝟑𝒚𝟒 ≤ 𝟒, {𝒚𝟕 = 𝟑} {𝒚𝟕} {𝒚𝟐, 𝒚𝟒} 𝒚𝟑∶= 𝟑𝒚𝟓 {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐, 𝒚𝟑= 𝟑𝒚𝟓} {𝒚𝟑, 𝒚𝟓, 𝒚𝟔}

Operator: Assignment

Theorem (finest partition after assignment): Let ℬ be block containing all variables appearing for assignment 𝒚𝒋 ≔ 𝒇 , and let 𝜌𝒋 = {𝒴 ∖{𝒚𝒋}, {𝒚𝒋}}, then 𝜌𝑃 = (𝜌𝑄 ⊓ 𝜌𝒋) ↑ ℬ

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔} {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐} {𝒚𝟕 = 𝟑}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕}

O 𝜌𝑃

{𝒚𝟐 ≤ 𝟓, 𝒚𝟐 + 𝟑𝒚𝟒 ≤ 𝟒, {𝒚𝟕 = 𝟑} {𝒚𝟕} {𝒚𝟐, 𝒚𝟒} 𝒚𝟑∶= 𝟑𝒚𝟓 {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐, 𝒚𝟑= 𝟑𝒚𝟓} {𝒚𝟑, 𝒚𝟓, 𝒚𝟔}

Operator: Assignment

Theorem (finest partition after assignment): Let ℬ be block containing all variables appearing for assignment 𝒚𝒋 ≔ 𝒇 , and let 𝜌𝒋 = {𝒴 ∖{𝒚𝒋}, {𝒚𝒋}}, then 𝜌𝑃 = (𝜌𝑄 ⊓ 𝜌𝒋) ↑ ℬ

{𝒚𝟐 ≤ 𝟑𝒚𝟑, 𝒚𝟑 = 𝟑, 𝒚𝟐 + 𝒚𝟑 + 𝟑𝒚𝟒 ≤ 𝟔} {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐} {𝒚𝟕 = 𝟑}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑, 𝒚𝟒} {𝒚𝟓, 𝒚𝟔} {𝒚𝟕}

O 𝜌𝑃

{𝒚𝟐 ≤ 𝟓, 𝒚𝟐 + 𝟑𝒚𝟒 ≤ 𝟒, {𝒚𝟕 = 𝟑} {𝒚𝟕} {𝒚𝟐, 𝒚𝟒} 𝒚𝟑∶= 𝟑𝒚𝟓 {𝒚𝟓 - 𝒚𝟔 ≤ 𝟒, 𝒚𝟔 = 𝟐, 𝒚𝟑= 𝟑𝒚𝟓} {𝒚𝟑, 𝒚𝟓, 𝒚𝟔} 𝓒 = {𝒚𝟑, 𝒚𝟓}

Lattice Operators

Lattice Operators

Theorem (finest partition for ⊑): If 𝑄 ⊑ 𝑅 and 𝑄 ≠⊥, then 𝜌𝑅 ⊑ 𝜌𝑄 Theorem: (finest partition after ⊓): If 𝑄 ⊓ 𝑅 ≠⊥ , then 𝜌𝑃 = 𝜌𝑄 ⊔ 𝜌𝑅 For join (⊔), no general relationship exists between 𝜌𝑃, 𝜌𝑄 and 𝜌𝑅

Operator: Join (⊔)

Operator: Join (⊔)

{𝒚𝟐 − 𝒚𝟑 ≤ 𝟏, 𝒚𝟐 ≤ 𝟏} {𝒚𝟒 = 𝟐}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑} {𝒚𝟒}

Operator: Join (⊔)

{𝒚𝟐 − 𝒚𝟑 ≤ 𝟏, 𝒚𝟐 ≤ 𝟏} {𝒚𝟒 = 𝟐}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑} {𝒚𝟒}

⊔

Operator: Join (⊔)

{𝒚𝟐 − 𝒚𝟑 ≤ 𝟏, 𝒚𝟐 ≤ 𝟏} {𝒚𝟒 = 𝟐}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑} {𝒚𝟒} {𝒚𝟐 ≤ 𝟑} {𝒚𝟒 = 𝟏}

Q 𝜌𝑅

{𝒚𝟐} {𝒚𝟒}

⊔

∅ {𝒚𝟑}

Operator: Join (⊔)

{𝒚𝟐 − 𝒚𝟑 ≤ 𝟏, 𝒚𝟐 ≤ 𝟏} {𝒚𝟒 = 𝟐}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑} {𝒚𝟒} {𝒚𝟐 ≤ 𝟑} {𝒚𝟒 = 𝟏}

Q 𝜌𝑅

{𝒚𝟐} {𝒚𝟒}

⊔

∅ {𝒚𝟑} {𝒚𝟐 + 𝟑𝒚𝟒 ≤ 𝟑, −𝒚𝟒 ≤ 𝟏, 𝒚𝟒 ≤ 𝟐} ∅

O 𝜌𝑃

{𝒚𝟐, 𝒚𝟒} {𝒚𝟑}

Operator: Join (⊔)

{𝒚𝟐 − 𝒚𝟑 ≤ 𝟏, 𝒚𝟐 ≤ 𝟏} {𝒚𝟒 = 𝟐}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑} {𝒚𝟒} {𝒚𝟐 ≤ 𝟑} {𝒚𝟒 = 𝟏}

Q 𝜌𝑅

{𝒚𝟐} {𝒚𝟒}

⊔

∅ {𝒚𝟑} {𝒚𝟐 + 𝟑𝒚𝟒 ≤ 𝟑, −𝒚𝟒 ≤ 𝟏, 𝒚𝟒 ≤ 𝟐} ∅

O 𝜌𝑃

{𝒚𝟐, 𝒚𝟒} {𝒚𝟑}

𝜌𝑄 ⊔ 𝜌𝑅 = 𝜌𝑄 ≠ 𝜌𝑃

Operator: Join (⊔)

{𝒚𝟐 − 𝒚𝟑 ≤ 𝟏, 𝒚𝟐 ≤ 𝟏} {𝒚𝟒 = 𝟐}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑} {𝒚𝟒} {𝒚𝟐 ≤ 𝟑} {𝒚𝟒 = 𝟏}

Q 𝜌𝑅

{𝒚𝟐} {𝒚𝟒}

⊔

∅ {𝒚𝟑} {𝒚𝟐 + 𝟑𝒚𝟒 ≤ 𝟑, −𝒚𝟒 ≤ 𝟏, 𝒚𝟒 ≤ 𝟐} ∅

O 𝜌𝑃

{𝒚𝟐, 𝒚𝟒} {𝒚𝟑}

𝜌𝑄 ⊔ 𝜌𝑅 = 𝜌𝑄 ≠ 𝜌𝑃 𝜌𝑄 ⊓ 𝜌𝑅 = 𝜌𝑅 ≠ 𝜌𝑃

Operator: Join (⊔)

{𝒚𝟐 − 𝒚𝟑 ≤ 𝟏, 𝒚𝟐 ≤ 𝟏} {𝒚𝟒 = 𝟐}

P 𝜌𝑄

{𝒚𝟐, 𝒚𝟑} {𝒚𝟒} {𝒚𝟐 ≤ 𝟑} {𝒚𝟒 = 𝟏}

Q 𝜌𝑅

{𝒚𝟐} {𝒚𝟒}

⊔

∅ {𝒚𝟑} {𝒚𝟐 + 𝟑𝒚𝟒 ≤ 𝟑, −𝒚𝟒 ≤ 𝟏, 𝒚𝟒 ≤ 𝟐} ∅

O 𝜌𝑃

{𝒚𝟐, 𝒚𝟒} {𝒚𝟑}

𝜌𝑄 ⊔ 𝜌𝑅 = 𝜌𝑄 ≠ 𝜌𝑃 𝜌𝑄 ⊓ 𝜌𝑅 = 𝜌𝑅 ≠ 𝜌𝑃

For Join, 𝜌𝑃 depends on both P and Q

Operator: Join (⊔)

Operator: Join (⊔)

Theorem: Let P and Q be two Polyhedra with the same permissible partition 𝜌 = {𝒴1, 𝒴2, . . . , 𝒴𝑠} and let 𝜌 be a permissible partition for the join, that is, 𝜌𝑄⊔𝑅 ⊑ 𝜌. If for any block 𝒴𝑙 ∈ 𝜌, 𝑄𝑙 = 𝑅𝑙, then 𝒴𝑙 ∈ 𝜌

Operator: Join (⊔)

Theorem: Let P and Q be two Polyhedra with the same permissible partition 𝜌 = {𝒴1, 𝒴2, . . . , 𝒴𝑠} and let 𝜌 be a permissible partition for the join, that is, 𝜌𝑄⊔𝑅 ⊑ 𝜌. If for any block 𝒴𝑙 ∈ 𝜌, 𝑄𝑙 = 𝑅𝑙, then 𝒴𝑙 ∈ 𝜌

x2 x1=4 x2=1 x2=2 x1=3 x1=1 x1=2 x2=4 x1=2x

1

x2=-2x1+10 P Q x1 P1 Q1 P2 Q2

Operator: Join (⊔)

Theorem: Let P and Q be two Polyhedra with the same permissible partition 𝜌 = {𝒴1, 𝒴2, . . . , 𝒴𝑠} and let 𝜌 be a permissible partition for the join, that is, 𝜌𝑄⊔𝑅 ⊑ 𝜌. If for any block 𝒴𝑙 ∈ 𝜌, 𝑄𝑙 = 𝑅𝑙, then 𝒴𝑙 ∈ 𝜌

x2 x1=4 x2=1 x2=2 x1=3 x1=1 x1=2 x2=4 x1=2x

1

x2=-2x1+10 P Q x1 P1 Q1 x2 x1=4 x2=1 x2=2 x1=4 x1=1 x1=1 x2=4 P Q x1 P1 Q1 P2 Q2 P2 Q2

Operators with Permissible Partitions

Operators with Permissible Partitions

Theorem (permissible partition after join): Let 𝜌 = 𝜌𝑄 ⊔ 𝜌𝑅 and 𝒱 = {𝒴𝑙 | 𝑄𝑙 = 𝑅𝑙, 𝒴𝑙 ∈ 𝜌}. Then 𝜌𝑄⊔𝑅 = 𝒱 ∪ ⨃𝒰∈𝜌 ∖𝒱𝒰 is permissible for 𝑄 ⊔ 𝑅 Theorem (permissible partition after meet): 𝜌𝑄 ⊔ 𝜌𝑅 is permissible for 𝑄 ⊓ 𝑅 Theorem (permissible partition after conditional): If output O ≠⊥, then, 𝜌𝑄 ↑ ℬ is permissible for conditional Theorem (permissible partition after assignment): 𝜌𝑄 ↑ ℬ is permissible for the output O of assignment

Asymptotic Complexity of Operators with Permissible Partitions

r: number

• f blocks

Operator Before (using both) Our work (using decomposition)

Join (⊔) Ο(𝑜𝑕) Ο(∑𝑗=1

𝑠

𝑜𝑗𝑛𝑗𝑕𝑗 + 𝑜𝑛𝑏𝑦𝑛𝑛𝑏𝑦) Meet (⊓) Ο(𝑜𝑛) Ο(∑𝑗=1

𝑠

𝑜𝑗𝑛𝑗) Inclusion (⊑) Ο(𝑜𝑕𝑛) Ο(∑𝑗=1

𝑠

𝑜𝑗𝑛𝑗𝑕𝑗) Assignment Ο(𝑜𝑕) Ο(𝑜𝑛𝑏𝑦𝑕𝑛𝑏𝑦) Conditional Ο(𝑜) Ο(𝑜𝑛𝑏𝑦) Conversion exp(n,g) exp(𝑜𝑛𝑏𝑦, 𝑕𝑛𝑏𝑦)

Experimental Evaluation

We compared performance of ELINA against NewPolka and PPL Using the Seahorn verification framework [CAV’15]

• written in C, analyzes llvm-bitcode
• produces Polyhedra invariants

> 1500 benchmarks from the software verification competition Time limit: 4 hours Memory limit: 12 GB

Experimental Evaluation

Experimental Evaluation

Experimental Evaluation

Experimental Evaluation

Evaluation

𝑜𝐹𝑀𝐽𝑂𝐵 < 𝑜𝑂𝑓𝑥𝑄𝑝𝑚𝑙𝑏, large speedup as conversion is exponential in n

Related Work

Related Work

• Variable Packing
• Blanchet et al. [PLDI’03]
• decomposition based on syntactic criteria
• loses precision
• Matrix based decomposition
• Halbwachs et al. [FMSD’06]
• does not work with generators
• decomposition too coarse for join

Conclusion

Conclusion

Conclusion

Operator Both Online decomposition Join (⊔) Ο(𝑜𝑕) Ο(∑𝑗=1

𝑠

𝑜𝑗𝑛𝑗𝑕𝑗 + 𝑜𝑛𝑏𝑦𝑛𝑛𝑏𝑦) Meet (⊓) Ο(𝑜𝑛) Ο(∑𝑗=1

𝑠

𝑜𝑗𝑛𝑗) Inclusion (⊑) Ο(𝑜𝑕𝑛) Ο(∑𝑗=1

𝑠

𝑜𝑗𝑛𝑗𝑕𝑗) Assignment Ο(𝑜𝑕) Ο(𝑜𝑛𝑏𝑦𝑕𝑛𝑏𝑦) Conditional Ο(𝑜) Ο(𝑜𝑛𝑏𝑦)

Conclusion

Operator Both Online decomposition Join (⊔) Ο(𝑜𝑕) Ο(∑𝑗=1

𝑠

𝑜𝑗𝑛𝑗𝑕𝑗 + 𝑜𝑛𝑏𝑦𝑛𝑛𝑏𝑦) Meet (⊓) Ο(𝑜𝑛) Ο(∑𝑗=1

𝑠

𝑜𝑗𝑛𝑗) Inclusion (⊑) Ο(𝑜𝑕𝑛) Ο(∑𝑗=1

𝑠

𝑜𝑗𝑛𝑗𝑕𝑗) Assignment Ο(𝑜𝑕) Ο(𝑜𝑛𝑏𝑦𝑕𝑛𝑏𝑦) Conditional Ο(𝑜) Ο(𝑜𝑛𝑏𝑦)

http://elina.ethz.ch

Conclusion

Operator Both Online decomposition Join (⊔) Ο(𝑜𝑕) Ο(∑𝑗=1

𝑠

𝑜𝑗𝑛𝑗𝑕𝑗 + 𝑜𝑛𝑏𝑦𝑛𝑛𝑏𝑦) Meet (⊓) Ο(𝑜𝑛) Ο(∑𝑗=1

𝑠

𝑜𝑗𝑛𝑗) Inclusion (⊑) Ο(𝑜𝑕𝑛) Ο(∑𝑗=1

𝑠

𝑜𝑗𝑛𝑗𝑕𝑗) Assignment Ο(𝑜𝑕) Ο(𝑜𝑛𝑏𝑦𝑕𝑛𝑏𝑦) Conditional Ο(𝑜) Ο(𝑜𝑛𝑏𝑦)

http://elina.ethz.ch

Driver NewPolka PPL ELINA

• 500 var
• 39K LOC

OOM (> 12 GB) OOM (> 12 GB) 4 sec 0.9 GB

• 650 var
• 25K LOC

TO (> 4 hr) TO (> 4 hr) 2 sec 0.4 GB