Improving Strategies via SMT Solving

Impro ving Strategies via SMT Solving ∗ Thomas Martin Ga wlitza Da vid Monniaux † July 24, 2018 Abstract W e consider the problem of computing n umerical in v ariants of progra ms by abstract int erpr etation. Our method e schews t wo traditio na l so urces of imprecisio n: (i) the use of widening op erato rs for enforcing conv ergence within a finite nu mber of iterations (ii) the use of merge ope r ations (often, conv ex h ulls) a t the merge p oints of the control flow graph. It instead co mputes the lea st inductive inv ariant expressible in the domain at a restricted set of progra m points, and analyzes the r e st of the co de en blo c. W e emphas ize that we compute this inductiv e in v ariant precisely . F or that we extend the stra tegy improv ement alg orithm of Gawlitza and Seidl [17]. If we applied their metho d directly , we would have to solve an e x po nen tially sized system of abstract semantic e q uations, res ulting in memory exhaustio n. Instead, we keep the system implicit and discover stra tegy improvemen ts using SA T mo dulo real linear ar ithmetic (SMT). F or ev aluating str a tegies we use linear progra mming. Our alg orithm has low p olynomial s pace complexity and p erfor ms for contrived examples in the worst cas e exp onentially many strategy improvemen t steps ; this is unsurprising, since we s how that the a sso ciated a bstract r eachabilit y problem is Π p 2 -complete. 1 In tro duction Motiv ation Static p r ogram analysis attempts to derive p rop erties ab out the ru n-time b eha vior of a pr ogram w ithout runnin g the pr ogram. Among interesting p rop erties are the n umerical ones: for instance, that a given v ariable x alwa y s has a v alue in the r ange [12 , 41] when reac hing a giv en program p oin t. An analysis solely based on su c h in terv al relations at all program p oin ts is known as interval analysis [11]. More refined numerical analyses includ e, for in stance, fi nding for eac h p rogram p oint an enclosing p olyhed r on for the v ector of program v a riables [13]. In addition to obtaining facts ab out the v alues of n umerical program v ariables, n umerical analyses are used as bu ilding blo cks for e.g. p oint er and sh ap e analyses. ∗       This work was partially fund ed by the ANR pro ject “ASOPT”. † Both authors from CNR S ( Centr e national de la r e cher che scientifique ), VERIMAG lab oratory . VERIMAG is a joi nt lab oratory of CNRS and Unive rsit´ e Joseph F ourier (Grenob le). Email first- name . lastname @imag.fr 1 Ho w ev er, b y Rice’s theorem, only trivial pr op erties can b e c hec k ed automaticall y [26]. In order to c hec k non-trivial pr op erties we are usually forced to us e abstr actions . A systematic wa y for inf erring prop erties au tomatically w.r.t. a giv en abstractio n is giv en through the abstr act interpr etation framew ork of Cousot and Cousot [12]. This framew ork safely over-appr oximates the run-time b eha vior of a program. When using th e abstract in terpretation framework, we u s ually ha v e t w o sources of impr ecision. The fi rst sour ce of imprecision is the abs traction itself: for ins tance, if the prop erty to b e pro v ed needs a non-conv ex in v arian t to b e established, and our abstraction can only represen t con v ex sets, then we cannot pr ov e the pr op ert y . T a ke for in stance the C-co de y = 0; if ( x < = − 1 || x > = 1) { if (x == 0) y = 1; } . No matter what the v alues of the v ariables x and y are b efore the execution of the ab o v e C-co de, after the execution the v alue of y is 0. The inv arian t | x | ≥ 1 in the “then” br anc h is not con v ex, and its conv ex h ull includes x = 0. An y s tatic analysis metho d th at computes a conv ex inv ariant in th is branch will th us also include y = 1. In con trast, our m etho d a v oids enforcing con v exit y , except at the heads of lo ops. The second source of imp recision are the safe but imp r ecise metho ds that are used for s olving th e abstr act semantic e quations that describ e the abstract seman tics: suc h metho ds safely o v er-approxima te exact solutions, b ut do n ot return exact solutions in all cases. The r eason is that we are concerned with abstract domains that con tain infinite ascending c hains, in p articular if w e are interested in numerical p rop erties: the complete lattice of all n -dimensional closed r eal interv als, used for interv al analysis, is an example. The traditional metho ds are based on Kleene fi xp oint iteration whic h (pur ely app lied) is not guaran teed to terminate in interesti ng cases. In ord er to enforce termination (for the p rice of imp r ecision) traditional m etho ds make u s e of the widenin g/narro wing approac h of Cousot and Cousot [12]. Grossly , widening extrap olates the first iterations of a sequence to a p ossible limit, but can easily o ve rsho ot the d esired result. In order to a v oid this, v arious tric ks are u sed, includ ing “widening up to” [27 , S ec. 3.2], “dela y ed” or with “thresholds” [6 ]. Ho w ev er, these tr icks, although they ma y help in man y pr actica l cases, are easily th w arted. Gopan and Reps [25] pr op osed “look ahead wid ening”, whic h disco v ers new fea sible paths and adapts widening accordingly; again this metho d is no panacea. F urthermore, analyses in v olving widenin g are non-monotonic : stronger preconditions can lead to weak er inv arian ts b eing automatically inferred; a rather non- in tuitiv e beh aviour. Since o ur m etho d do es not u se widening at all, it av oids these problems. Our Contribution W e fi gh t b oth sources of imprecision noted ab ov e: • In order to impro v e th e pr ecision of the abstraction, we abstract sequences of if-then-else statemen ts without lo ops en blo c. In the ab o v e example, we are then able to conclude that y 6 = 0 holds. In other words: w e abstract sets of s tates only at the h eads of lo ops, or, more generally , at a cut-set of the con trol-flo w graph (a cut-set is a set of pr ogram p oint s such that remo ving them would cut all lo ops). • Ou r main tec hn ical con tribution consists of a practical metho d for p recisely com- puting abstract semantics of affine p rograms w.r.t. the template linear constraint 2 domains of S ank aranara y anan et al. [42], with s equences of if-then-else state- men ts wh ic h do not con tain lo ops abstracted en blo c. Our metho d is based on a strict generalizat ion of the strategy impro v ement algorithm of Ga wlitza and Seidl [17, 18, 21]. The latte r algorithm could b e directly applied to the p roblem w e solv e in this article, but the s ize of its input would b e exp onentia l in the size of the program, b ecause we then n eed to explicitly enumerate all pr ogram paths b et we en cut-no des which d o not cross other cut-no des. In th is article, we giv e an algorithm w ith low p olynomial memory consu mption that us es exp onen tial time in the wo rst case. Th e basic idea consists in av o iding an explicit enumeration of all paths thr ou gh sequences of if -then -else-sta tement s whic h do not con tain lo ops. Instead we us e a SA T mo d ulo real linear arithmetic solv er for improving th e cur- ren t strategy lo cally . F or ev aluating eac h strategy encounte red during the strategy iteration, we use linear programming. • As a b ypro duct of our considerations w e s ho w that the corresp onding abstract reac habilit y problem is Π p 2 -complete. In fact, w e sh ow that it is Π p 2 -hard ev en if the lo op inv arian t b eing computed consists in a single x ≤ C inequalit y wh ere x is a pr ogram v ariable and C is the parameter of the in v arian t. Hence, exp onentia l w orst-case runn ing-time seems to b e una vo idable. Related W ork Recen tly , several alternativ e approac hes f or computing numerical in- v aria nts (for instance w.r .t. to template linear constrain ts) w ere dev elop ed: Strategy Iteration Strategy iteratio n (also called p olicy iter ation ) w as int ro du ced b y Ho w ard for solving s tochastic control problems [29, 40] and is also applied to t wo -pla ye rs zero-sum games [28, 39, 45] or min-max-plu s s y s tems [7]. Adj ´ e et al. [2], Costan et al. [9], Gaub ert et al. [16] d ev elop ed a strategy iteration approac h for solving the abstract seman tic equations that o ccur in static pr ogram anal ysis b y abstract interpretatio n. Their approac h ca n be seen as an alte rn ative to the traditional widening/narro wing approac h. The goal of their algo rithm is to compute least fixp oin ts of monotone self- maps f , where f ( x ) = min { π ( x ) | π ∈ Π } for all x and Π is a family of self-maps. The assumption is that one can efficien tly compu te the least fixp oin t µπ of π f or ev- ery π ∈ Π. The π ’s are the (min -)strategi es. S tarting w ith an arbitrary min-stratgy π (0) , the min-strategy is successiv ely impr ov ed. The s equ ence ( π ( k ) ) k of attained min- strategies results in a decreasing sequen ce µπ (0) > µπ (1) > · · · > µπ ( k ) that stabilizes, whenev er µ π ( k ) is a fi xp oin t of f — not necessarily the lea st one. Ho w ev er, there are indeed imp ortan t cases, w here min imalit y of the obtained fi xp oint can b e guaranteed [1]. Moreo v er, an imp ortan t adv an tage of their algorithm is that it can b e stopp ed at an y time with a safe o v er-appro ximation. This is in particular interesting if th er e are infinitely m any min-strategies [2]. Costan et al. [9 ] show ed ho w to use their f ramew ork for p erforming interv al analysis without widening. Gaub ert et al. [16] extended this w ork to the f ollo wing r elational abstract domains: Th e zone dom ain [33], th e o ctagon domain [34] and in particular the template line ar c onstr aint domains [42]. Ga wlitza and Seidl [17] presen ted a practical (max-) strategy impro v emen t algorithm for com- puting least solutions of systems of r ational e quations . Their algorithm enables them 3 to p erform a template linear constrain t analysis pr e cisely — ev en if the m appings are not non-expansiv e. This means: Their algorithm alw a ys computes le ast solutions of abstract semantic equations — not ju st some solutions. Accelerat ion T ec hn iques Gonnord [23], Gonnord and Halbw ac hs [24] in vest igated an impro ve ment of linear relation analysis that consists in computing, when p ossible, the exact (abstract) effe ct of a lo op. The tec hniqu e is fully compatible with the use of widening, and wheneve r it applies, it imp ro v es b oth the p recision and the p erformance of the analysis. Ga wlitza et al. [20], Leroux and Sutre [31] studied cases where inte rv al analysis can b e done in p olynomial time w.r.t. a un iform cost measure, where memory accesses and arithmetic op erations are coun ted for O (1). Quant ifier Elimination Recen t imp ro v emen ts in SA T/SMT solving tec hniques h a v e made it p ossible to p erform quan tifier elimination on larger formulas [36]. Monniaux [37] deve lop ed an analysis metho d b ased on quan tifier elimination in the theory of rational linear arithmetic. This metho d targets the same domains as the pr esen t article; it how ev er pro duces a richer result. It can not only compute the least inv arian t inside the abstract domain of a lo op, bu t also expr ess it as a fu n ction of the p recondition of the lo op; the metho d outputs the source co d e of the op timal abstract transform er mapping the precondition to the inv ariant . Its drawbac k is its h igh cost, whic h mak es it practical only on small co de fragmen ts; th us, its intended application is mo dular analysis : analyze v ery p recisely small p ortions of cod e (functions, mo dules, no d es of a r eactiv e data-flo w program, . . . ), and u se the results for analyzing larger p ortions, p erhaps w ith another metho d, in cluding the metho d prop osed in this article. Mathematica l Programming Col´ on et al. [8], Cousot [10], Sank aranara y anan et al. [41] present ed a pp roac hes for ge nerating linear inv ariants that u s es non-line ar c onstr aint solving . Lecon te et al. [30] p rop ose a mathematical programming formulati on whose constrain ts define the space of all p ost-solutions of the abstract semant ic equatio ns. The ob jectiv e function aims at minimizing the result. F or p rograms that use affine assignmen ts and affine guards, only , this yields a mixe d inte g er line ar pr o gr amming form ulation for in terv al analysis. The resu lting mathematical programming p roblems can then b e solv ed to guarantee d global optimalit y b y means of general purp ose branch- and-b ound typ e algorithms. 2 Basics Notations B = { 0 , 1 } denotes the set of Bo olean v alues. Th e set of real num b ers is denoted by R . Th e complete linearly ordered set R ∪ {−∞ , ∞ } is denoted by R . W e call tw o v ectors x, y ∈ R n c om p ar able iff x ≤ y or y ≤ x h olds. F or f : X → R m with X ⊆ R n , w e set dom( f ) := { x ∈ X | f ( x ) ∈ R m } and fdom( f ) := dom( f ) ∩ R n . W e denote the i -th ro w (r esp. the j -th column) of a matrix A by A i · (resp. A · j ). Accordingly , A i · j denotes the co mp onen t in the i -th ro w and the j -th co lumn . W e also use this notation for vec tors and mappings f : X → Y k . Assume that a fixed set X of v ariables and a domain D is gi ve n. W e consider equations of the form x = e , where x ∈ X is a v ariable and e is an expr ession o v er D . 4 A system E of (fixp oin t) equations is a fi nite set { x 1 = e 1 , . . . , x n = e n } of equations, where x 1 , . . . , x n are pairwise distinct v ariables. W e denote the set { x 1 , . . . , x n } of v aria bles o ccurr ing in E b y X E . W e d rop the subscript whenev er it is clear from the con text. F or a v ariable assignmen t ρ : X → D , an expression e is mapp ed to a v alue J e K ρ b y setting J x K ρ := ρ ( x ) and J f ( e 1 , . . . , e k ) K ρ := f ( J e 1 K ρ, . . . , J e k K ρ ), where x ∈ X , f is a k -ary op erator, for in stance + , and e 1 , . . . , e k are expressions. Let E b e a system of equations. W e defi n e the u nary op erator J E K on X → D b y setting ( J E K ρ )( x ) := J e K ρ for all x = e ∈ E . A solution is a v ariable assignmen t ρ suc h that ρ = J E K ρ h olds. The set of solutions is den oted by Sol ( E ). Let D b e a complete lattice. W e denote the le ast upp er b ound and the gr e atest lower b ound of a set X ⊆ D by W X and V X , resp ectiv ely . The least elemen t W ∅ (resp. the greatest elemen t V ∅ ) is denoted b y ⊥ (resp. ⊤ ). W e defi ne the b inary op erators ∨ and ∧ by x ∨ y := W { x, y } and x ∧ y := V { x, y } for all x, y ∈ D , resp ectiv ely . F o r  ∈ {∨ , ∧} , w e w ill also consider x 1  · · ·  x k as the application of a k -ary op erator. This will cause no problems, since the binary op erators ∨ and ∧ are asso ciativ e and comm utativ e. An expression e (resp. an equation x = e ) is called monotone iff all op erators o ccurring in e are monotone. The set X → D of all variable assignments is a complete lattice. F or ρ, ρ ′ : X → D , w e write ρ ⊳ ρ ′ (resp. ρ ⊲ ρ ′ ) iff ρ ( x ) < ρ ′ ( x ) (resp. ρ ( x ) > ρ ′ ( x )) holds for all x ∈ X . F or d ∈ D , d denotes the v ariable assignment { x 7→ d | x ∈ X } . A v a riable assignment ρ w ith ⊥ ⊳ ρ ⊳ ⊤ is called finite . A pre-solution (resp. p ost-solution) is a v ariable assignmen t ρ suc h that ρ ≤ J E K ρ (resp. ρ ≥ J E K ρ ) holds. The set of all p re-solutions (resp. the set of all p ost-solutions) is d enoted b y PreSol ( E ) (resp. P ostSol ( E )). The least fixp oin t (resp. the great est fixp oint) of an op erator f : D → D is d enoted b y µf (resp. ν f ), pro vided that it exists. Th us, the least solution (resp. the greatest solution) of a system E of equations is denoted b y µ J E K (resp. ν J E K ), provided that it exists. F or a pre-solution ρ (resp. for a post-solution ρ ), µ ≥ ρ J E K (resp. ν ≤ ρ J E K ) d en otes the least solution that is greater than or equal to ρ (resp. the greatest solution that is less than or equal to ρ ). F rom K naster-T arski’s fixp oint theorem we get: Every system E of monotone equations o v er a complete lattice has a least solution µ J E K and a greatest solution ν J E K . F ur thermore, µ J E K = V P ostSol ( E ) and ν J E K = W PreSol ( E ). Linear Programming W e consider linear programming problems (LP problems for short) of the form sup { c ⊤ x | x ∈ R n , Ax ≤ b } , where A ∈ R m × n , b ∈ R m , and c ∈ R n are the inpu ts. The conv ex closed p olyhedron { x ∈ R n | Ax ≤ b } is called the fe asible sp ac e . The LP problem is called i nfe a sible iff the feasible space is empty . An element of the feasible s p ace, is called fe asible solution . A feasible solution x that maximizes c ⊤ x is called optimal solution . LP problems can b e solv ed in p olynomial time through interio r p oint metho d s [32, 43]. Note, ho we ve r, that the runn ing-time then crucially dep en d s o n the sizes of o ccurring n umbers . A t the danger of an exp onentia l runn ing-time in con triv ed cases, w e can also instead rely on the simplex algorithm: its running-time is uniform , i.e., 5 indep end en t of the sizes of o ccur r ing num b ers (giv en that arithmetic op erations, com- parison, storage and retriev al for num b ers are counted for O (1)). SA T mo dulo real linear arithmetic The set of SA T m o dulo real linear arithmetic form ulas Φ is defined through th e grammar e ::= c | x | e 1 + e 2 | c · e ′ , Φ ::= a | e 1 ≤ e 2 | Φ 1 ∨ Φ 2 | Φ 1 ∧ Φ 2 | Φ ′ . Here, c ∈ R is a constan t, x is a real v alued v ariable, e, e ′ , e 1 , e 2 are real-v alued linear expressions, a is a Bo olean v ariable and Φ , Φ ′ , Φ 1 , Φ 2 are formulas. An interpr etation I for a formula Φ is a mapp ing that assigns a real v alue to ev ery real-v alued v ariable and a Bo olean v alue to ev ery Bo olean v aria ble. W e write I | = Φ for “ I is a mo del of Φ”, i.e., J c K I = c , J x K = I ( x ), J e 1 + e 2 K I = J e 1 K I + J e 2 K I , J c · e ′ K I = c · J e ′ K I , and : I | = a ⇐ ⇒ I ( a ) = 1 I | = e 1 ≤ e 2 ⇐ ⇒ J e 1 K I ≤ J e 2 K I I | = Φ 1 ∨ Φ 2 ⇐ ⇒ I | = Φ 1 or I | = Φ 2 I | = Φ 1 ∧ Φ 2 ⇐ ⇒ I | = Φ 1 and I | = Φ 2 I | = Φ ′ ⇐ ⇒ I 6| = Φ ′ A formula is called satisfiable iff it h as a mo del. The pr oblem of deciding, wh ether or not a giv en S A T mo du lo real linear arithmetic form ula is satisfiable, is NP-complete. There n ev ertheless exist efficient solv er implementa tions for this decision problem [15]. In order to simplify notatio ns w e also allo w matrices, v ect ors, th e op erations ≥ , <, >, 6 = , =, and the Bo olean constants 0 and 1 to o ccur. Collecting and Abstract Seman tics Th e programs that we consider in th is article use real-v alued v ariables x 1 , . . . , x n . Acc ordingly , we d en ote by x = ( x 1 , . . . , x n ) ⊤ the v ector of all program v ariables. F or simp licit y , w e only consider elemen tary statemen ts of the form x := Ax + b , and Ax ≤ b , where A ∈ R n × n (resp. R k × n ), b ∈ R n (resp. R k ), and x ∈ R n denotes the v ector of all p rogram v ariables. State ments of the form x := Ax + b are called (affine) assignments . Statemen ts of the f orm Ax ≤ b are called (affine) guar ds . Additionally , we allo w statemen ts of the form s 1 ; · · · ; s k and s 1 | · · · | s k , where s 1 , . . . , s k are statemen ts. The op erator ; bind s tighter than the op erator | , and w e consider ; and | to b e righ t-asso ciativ e, i.e., s 1 | s 2 | s 3 stands for s 1 | ( s 2 | s 3 ), and s 1 ; s 2 ; s 3 stands for s 1 ; ( s 2 ; s 3 ). The set of statemen ts is denoted by Stmt . A statemen t of the form s 1 | · · · | s k , where s i do es not con tain the op erator | for all i = 1 , . . . , k , is called mer ge-simple . A merge-simple statemen t s that do es not us e the | op er ator at all is called se q uential . A statemen t is called elementary iff it neither conta ins the op erator | nor the op erator ;. The c ol le cting semantics J s K : 2 R n → 2 R n of a statemen t s ∈ Stmt is defined b y J x := Ax + b K X := { Ax + b | x ∈ X } , J Ax ≤ b K X := { x ∈ X | Ax ≤ b } , J s 1 ; · · · ; s k K := J s k K ◦ · · · ◦ J s 1 K J s 1 | · · · | s k K X := J s 1 K X ∪ · · · ∪ J s k K X for X ⊆ R n . Note that the op erators ; and | are asso ciativ e, i.e., J ( s 1 ; s 2 ); s 3 K = J s 1 ; ( s 2 ; s 3 ) K and J ( s 1 | s 2 ) | s 3 K = J s 1 | ( s 2 | s 3 ) K hold for all statemen ts s 1 , s 2 , s 3 . An (affine) pr o gr am G is a triple ( N , E , st ), where N is a finite set of pr o gr am p oints , E ⊆ N × Stm t × N is a fin ite set of con trol-flo w edges, and st ∈ N is the start pr o gr a m 6 st 1 2 3 4 5 x 1 := 0 x 1 ≤ 1000 x 2 := − x 1 x 2 ≤ − 1 x 1 := − 2 x 1 x 2 ≥ 0 x 1 := − x 1 + 1 st 1 x 1 := 0 x 1 ≤ 1000; x 2 := − x 1 ; ( x 2 ≤ − 1; x 1 := − 2 x 1 | x 2 ≥ 0; x 1 := − x 1 + 1) (a) (b) Figure 1: p oint . As usu al, the c ol le cting semantics V of a program G = ( N , E , st ) is the least solution of the follo wing constrain t system: V [ st ] ⊇ R n V [ v ] ⊇ J s K ( V [ u ]) for all ( u, s, v ) ∈ E Here, the v ariables V [ v ], v ∈ N tak e v alues in 2 R n . The comp on ents of the collecting seman tics V are den oted by V [ v ] for all v ∈ N . Let D b e a complete lattic e (for ins tance the complete lattice of all n -dimensional closed real interv als). Let th e p artial order of D b e denoted b y ≤ . Ass ume that α : 2 R n → D and γ : D → 2 R n form a Galois connection, i.e., for all X ⊆ R n and all d ∈ D , α ( X ) ≤ d iff X ⊆ γ ( d ). The abstr act semantics J s K ♯ : D → D of a statemen t s is defined b y J s K ♯ := α ◦ J s K ◦ γ . The abstr act semantics V ♯ of an affine p rogram G = ( N , E , st ) is the least solution of the follo wing constraint system: V ♯ [ st ] ≥ α ( R n ) V ♯ [ v ] ≥ J s K ♯ ( V ♯ [ u ]) for all ( u, s, v ) ∈ E Here, the v ariables V ♯ [ v ], v ∈ N take v alues in D . The comp onents of the abstract seman tics V ♯ are denoted by V ♯ [ v ] for all v ∈ N . The ab s tract seman tics V ♯ safely o v er-appro ximates the collecting seman tics V , i.e., γ ( V ♯ [ v ]) ⊇ V [ v ] for all v ∈ N . Using Cut-Sets to impro v e Precision Usually , only sequent ial s tatemen ts (these statemen ts corresp ond to b asic blo cks ) a re allo w ed in con trol flo w graphs. Ho w ev er, giv en a cut-set C , one can systematically transform any con trol flo w graph G in to an equiv al ent con trol flo w graph G ′ of our form (up to th e fact that G ′ has fewer p rogram p oint s than G ) with increased precision of the abstract seman tics. Ho w ev er, for the sak e of simp licit y , we do not discus s these asp ects in detail. In stead, we consider an example: Example 1 (Using Cut-Sets to imp ro v e Precision) . As a running example throughout the pr esen t article we use the follo wing C-co de: i n t x 1 , x 2 ; x 1 = 0 ; w h i l e ( x 1 < = 1 0 0 0 ) { x 2 = − x 1 ; i f ( x 2 < 0 ) x 1 = − 2 ∗ x 1 ; e l s e x 1 = − x 1 + 1 ; } This C -co de is abstracted th rough the affine program G 1 = ( N 1 , E 1 , st ) wh ic h is sho wn in Figure 1.(a). Ho w ev er, it is unn ecessary to apply abstr action at ev ery program p oint ; it suffices to apply abstr action at a cut-set of G 1 . Since all lo ops con tain p rogram p oint 1, a cut-set of G 1 is { 1 } . Equ iv alent to applying abstraction only at p rogram p oint 1 7 is to rewr ite the con trol-flo w graph w.r.t. the cut-set { 1 } into a con trol-flo w graph G equiv al ent w.r.t. the collecting semant ic. The result of this transform ation is drawn in Figure 1.(b). This means: the affine p rogram for the ab o v e C-cod e is G = ( N , E , st ), where N = { st , 1 } , E = { ( st , x 1 := 0 , 1) , (1 , s, 1) } , and s ′ = x 1 ≤ 1000; x 2 := − x 1 s 1 = x 2 ≤ − 1; x 1 := − 2 x 1 s 2 = − x 2 ≤ 0; x 1 := − x 1 + 1 s = s ′ ; ( s 1 | s 2 ) Let V 1 denote the collecting seman tics of G 1 and V d enote the collecting semantics of G . G 1 and G are equiv alen t in the follo wing sense: V [ v ] = V 1 [ v ] h olds for all program p oint s v ∈ N . W.r.t. the abstract seman tics, G is, is we w ill see, s trictly more pr ecise than G 1 . In general we at least h av e V ♯ [ v ] ⊆ V ♯ 1 · [ v ] for all program p oint s v ∈ N . T his is ind ep endent of the abstr act d omain. 1 T emplate Linear Constrain ts In the present article w e restrict our considerations to template line ar c onstr aint domains [42]. Ass u me that we are giv en a fixed template c ons tr aint matrix T ∈ R m × n . The template linear constraint domain is R m . As shown b y S ank a ranaray anan et al. [42], the concretizati on γ : R m → 2 R n and the abstraction α : 2 R n → R m , which are defined by γ ( d ) := { x ∈ R n | T x ≤ d } ∀ d ∈ R m , α ( X ) := V { d ∈ R m | γ ( d ) ⊇ X } ∀ X ⊆ R n , form a Galois connecti on. The template linear constrain t domains con tain intervals , zones , and o ctagons , with appropriate c hoices of the template constraint matrix [42]. In a fir st s tage we restrict our considerations to sequentia l and merge-simple state- men ts. Ev en for these statemen ts we av oid unn ecessary impr ecision, if we abstract such statemen ts en b lo c instead of abstracting eac h elementa ry statemen t separately: Example 2 . In this example w e use the int erv al domain as abstract domain, i.e., our com- plete lattice consists of all n -dimensional closed real interv als. Our affine program will use 2 v ariables, i.e., n = 2. The complete lattice of all 2-dimensional closed real int erv als can b e sp ecified through the template constrain t matrix T =  − I I  ⊤ ∈ R 4 × 2 , wh ere I denotes the id en tit y m atrix. Consid er the statemen ts s 1 = x 2 := x 1 , s 2 = x 1 := x 1 − x 2 , and s = s 1 ; s 2 and the abstract v al ue I = [0 , 1] × R (a 2-dimensional closed real in terv al). The in terv al I can w.r.t. T b e iden tified with the abs tract v alue (0 , ∞ , 1 , ∞ ) ⊤ . More gen- erally , w.r.t. T ev ery 2-dimensional closed real inte rv al [ l 1 , u 1 ] × [ l 2 , u 2 ] can b e identified with the abstract v alue ( − l 1 , − l 2 , u 1 , u 2 ) ⊤ . If we abstract eac h element ary state ment separately , then we in fact use J s 2 K ♯ ◦ J s 1 K ♯ instead of J s K ♯ to abstract the collecting se- man tics J s K of th e s tatemen t s = s 1 ; s 2 . The follo wing calculatio n sh o ws that this can b e imp ortant : J s K ♯ I = [0 , 0] × [0 , 1] 6 = [ − 1 , 1] × [0 , 1] = J s 2 K ♯ ([0 , 1] × [0 , 1]) = ( J s 2 K ♯ ◦ J s 1 K ♯ ) I . The imprecision is caused by th e additional abstraction. W e lose th e information that the v alues of the program v ariables x 1 and x 2 are equal after executing the first state- men t. 1 W e assume that w e have given a Galois-connection and t hus in particular monotone b est abstract transformers. 8 Another p ossibilit y for av oi ding unnecessary imprecision in the ab o v e example would consist in adding additional ro ws to the template constrain t matrix. Although this w orks for the ab ov e example, it d o es not work in general, sin ce still only con v ex sets can b e d escrib ed, b ut sometimes non -conv ex s ets are required (cf. with the example in the introdu ction). Pro vided that s is a merge-simple statemen t, J s K ♯ d can b e computed in p olynomial time thr ough linear programming: Lemma 3 (Merge-Simple Statemen ts) . L et s b e a mer ge-simple statement and d ∈ R m . Then J s K ♯ d c an b e c ompute d in p olynom ial time thr o ugh line ar pr o gr a mming. Ho w ev er, the situation for arbitrary statemen ts is significantly more difficu lt, since, by reducing S A T to the corresp on d ing decision problem, w e can show the follo wing: Lemma 4. The pr oblem of de ciding, whether or not, for a given templa te c onstr aint matrix T , and a gi ven statement s , J s K ♯ ∞ > − ∞ holds, is NP -c omp lete. Before pr o ving the ab ov e lemma, w e int ro du ce ∨ -strategies for statemen ts as follo ws: Definition 1 ( ∨ -Str ategies for Statemen ts) . A ∨ -strate gy σ for a statemen t s is a function that maps ev ery p osition of a | -statemen t, (a statemen t of the f orm s 0 | s 1 ) within s to 0 or 1. The application sσ of a ∨ -strategy σ to a statemen t s is indu ctiv ely defined by sσ = s , ( s 0 | s 1 ) σ = s σ (p os( s 0 | s 1 )) σ , and ( s 0 ; s 1 ) σ = ( s 0 σ ; s 1 σ ), where s is an elemen tary state ment, and s 0 , s 1 are arbitrary s tatement s. F or all o ccurr en ces s ′ , p os( s ′ ) d enotes the p osition of s ′ , i.e., p os( s ′ ) id en tifies the o ccurren ce. Pr o of. Firstly , w e show con tainmen t in NP. Assume J s K ♯ ∞ > −∞ . Th ere exists some k suc h that the k -th comp onen t of J s K ♯ ∞ is greater than −∞ . W e c ho ose k non- deterministically . T here exists a ∨ -strategy σ for s such that the k -th comp onen t of J s σ K ♯ ∞ equ als the k -th co mp onen t o f J s K ♯ ∞ . W e c ho ose suc h a ∨ -strategy non- deterministically . By Lemma 3, w e can chec k in p olynomial time, w hether the k -th comp onen t of J s σ K ♯ ∞ is greater than −∞ . If this is fulfilled, we accept. In order to sh o w NP-hard ness, we redu ce the NP-hard p roblem SA T to our problem. Let Φ b e a prop ositional form ula with n v ariables. W.l.o.g. w e assume that Φ is in normal form, i.e. , there are no negated sub -form ulas that con tain ∧ or ∨ . W e d efine the statemen t s (Φ) that uses the v ariables of Φ as program v ariables inductiv ely b y s ( z ) := z = 1, s ( z ) := z = 0, s (Φ 1 ∧ Φ 2 ) := s (Φ 1 ); s (Φ 2 ), and s (Φ 1 ∨ Φ 2 ) := s (Φ 1 ) | s (Φ 2 ), where z is a v ariable of Φ, and Φ 1 , Φ 2 are formulas. Here, the statemen t Ax = b is an abbreviation for the statemen t Ax ≤ b ; − Ax ≤ − b . T h e form ula Φ is satisfiable iff J s (Φ) K R n 6 = ∅ h olds. Moreo v er, ev en if w e just u se the in terv al d omain, J s (Φ) K R n 6 = ∅ holds iff J s (Φ) K ♯ ∞ > −∞ h olds. Th us, Φ is satisfiable iff J s (Φ) K ♯ ∞ > −∞ holds. Ob viously , J ( s 1 | s 2 ); s K = J s 1 ; s | s 2 ; s K and J s ; ( s 1 | s 2 ) K = J s ; s 1 | s ; s 2 K f or all state- men ts s, s 1 , s 2 . W e can trans form a ny statement s in to an equiv alen t merge-simple statemen t s ′ using th ese rules. W e denote the merge-simple statemen t s ′ that is ob- tained from an arb itrary statemen t s by applying the ab o v e rules in s ome canonical w a y b y [ s ]. Intuiti vel y , [ s ] is an explicit enumeratio n of all paths th r ough the statemen t s . 9 Lemma 5. F or every statement s , [ s ] is mer ge-simple, and J s K = J [ s ] K . The size of [ s ] is at most exp onential in the size of s . Ho w ev er, in the w orst case, the size of [ s ] is exp onen tial in th e size of s . F or the statemen t s = ( s (1) 1 | s (2) 1 ); · · · ; ( s (1) k | s (2) k ) , for instance, we get [ s ] = | ( a 1 ,...,a k ) ∈{ 1 , 2 } k s ( a 1 ) 1 ; · · · ; s ( a k ) k . After rep lacing all statemen ts s w ith [ s ] it is in principle p ossible to u se the metho ds of Gawlit za and S eidl [17] in order to compute the abstract seman tics V ♯ precisely . Because of the exp onen tial blowup, how ev er, th is metho d wo uld b e imp ractical in m ost cases. 2 Our new metho d that we are going to p resen t a vo ids this exp onentia l blo wup: in- stead of enumerating all program p aths, w e shall visit them only as needed. Guided b y a SA T mo dulo real linear arithmetic solv er, our metho d selects a p ath thr ough s only when it is lo c a l ly pr ofitable in some sens e. In the worst case, an exp on ential num b er of paths ma y b e visited (Section 7 ); b ut one can hop e that this d o es not happ en in many practical cases, in the same wa y that S A T and SMT solving p erform wel l on man y practical cases even though they in principle ma y visit an exp onential num b er of cases. Abstract Semantic Equations The first step of our metho d consists of rewr iting our p r ogram analysis pr ob lem in to a system of abstr a ct semantic e quations that is in terpreted o v er the reals. F or th at, let G = ( N , E , st ) b e an affine program and V ♯ its abstract semanti cs. W e define the system C ( G ) of abstr act semantic ine q ualities to b e the smallest set of inequ alities that fulfi lls the f ollo wing constrain ts: • C con tains the inequalit y x st ,i ≥ α i · ( R n ) f or ev ery i ∈ { 1 , . . . , m } . • C con tains the inequalit y x v,i ≥ J s K ♯ i · ( x u, 1 , . . . , x u,m ) for ev ery control- flow edge ( u, s, v ) ∈ E an d eve ry i ∈ { 1 , . . . , m } . W e d efi ne the sy s tem E ( G ) of abstr act semantic e quations by E ( G ) := E ( C ( G )). Here, for a system C ′ = { x 1 ≥ e 1 , 1 , . . . , x 1 ≥ e 1 ,k 1 , . . . , x n ≥ e n, 1 , . . . , x n ≥ e n,k n } of inequalities, E ( C ′ ) is the system E ( C ′ ) = { x 1 = e 1 , 1 ∨ · · · ∨ e 1 ,k 1 , . . . , x n = e n, 1 ∨ · · · ∨ e n,k n } of equations. The system E ( G ) of abstract semantic equations captures the abstract seman tics V ♯ of G : Lemma 6. ( V ♯ [ v ]) i · = µ J E ( G ) K ( x v,i ) for al l pr o gr am p oints v , i ∈ { 1 , . . . , m } . Example 7 (Abstract Semanti c Equ ations) . W e again consider the pr ogram G of Exam- ple 1. Assume that the template constrain t matrix T ∈ R 2 × 2 is giv en b y T 1 · = (1 , 0) and T 2 · = ( − 1 , 0). Let V ♯ denote th e abstract semant ics of G . Th en V ♯ [1] = (2001 , 2000) ⊤ . E ( G ) consists of the follo wing abstract seman tic equations: x st , 1 = ∞ x 1 , 1 = J x 1 := 0 K ♯ 1 · ( x st , 1 , x st , 2 ) ∨ J s K ♯ 1 · ( x 1 , 1 , x 1 , 2 ) x st , 2 = ∞ x 1 , 2 = J x 1 := 0 K ♯ 2 · ( x st , 1 , x st , 2 ) ∨ J s K ♯ 2 · ( x 1 , 1 , x 1 , 2 ) 2 Note th at w e cannot expect a p olynomial-time algo rithm, b ecause of Lemma 4: ev en without loops, abstract reac hability is NP-hard. Even if all statements are merge-simple, we cannot exp ect a p olyn omial-time algorithm, since the problem of computing the winning regions of parity games is p olynomial-time redu cible to abstract reachabilit y [19]. 10 As stated by Lemma 6, w e ha v e ( V ♯ [1]) 1 · = µ J E ( G ) K ( x 1 , 1 ) = 2001, and ( V ♯ [1]) 2 · = µ J E ( G ) K ( x 1 , 2 ) = 2000. 3 A Lo w er Bound on the Complexit y In this section we show that the problem of computing a bstract seman tics of affine programs w.r.t. the inte rv al domain is Π p 2 -hard. Π p 2 -hard pr oblems are conjectured to b e harder than b oth NP-complete and co-NP-complete p roblems. F or further information regarding the p olynomial-time hierarch y see e.g. Sto c kmey er [44]. Theorem 8. The pr oblem of de c i ding, whether, for a given pr o gr am G , a give n template c ons tr aint matrix T , and a g i ven pr o gr am p o int v , V ♯ [ v ] > −∞ holds, is Π p 2 -har d. Pr o of. W e red u ce the Π p 2 -complete p roblem of deciding the truth of a ∀∃ prop ositional form ula [46] to ou r problem. Let Φ = ∀ x 1 , . . . , x n . ∃ y 1 , . . . , y m . Φ ′ b e a f ormula without free v ariables, wh ere Φ ′ is a pr op ositional formula. W e consider the affine program G = ( N , E , st ), with p rogram v ariables x, x ′ , x 1 , . . . , x n , y 1 , . . . , y m , where N = { st , 1 , 2 } , and E = { ( st , x := 0 , 1) , (1 , s, 1) , (1 , x ≥ 2 n , 2) } with s = x ′ := x ; ( x ′ ≥ 2 n − 1 ; x ′ := x ′ − 2 n − 1 ; x n := 1 | x ′ ≤ 2 n − 1 − 1; x n := 0); · · · ( x ′ ≥ 2 1 − 1 ; x ′ := x ′ − 2 1 − 1 ; x 1 := 1 | x ′ ≤ 2 1 − 1 − 1; x 1 := 0); s (Φ ′ ); x := x + 1 The statement s (Φ ′ ) is defin ed as in the pro of of Lemma 4. In intuitiv e terms: this program initializes x to 0. Th en, it en ters a lo op: it computes in to x 1 , . . . , x n the bin ary decomp osition of x , then it attempts to n ondeterministically c ho ose y 1 , . . . , y m so that φ ′ is true. If this is p ossible, it in cremen ts x by one and lo ops. Otherwise, it jus t lo ops. Thus, there is a terminating computations iff Φ holds. Then Φ holds iff V [2] 6 = ∅ . F or the abstraction, we consider the interv al domain. By considering th e Kleene-Iterat ion, it is easy to see that V [2] 6 = ∅ holds iff V ♯ [2] > −∞ holds. Thus Φ holds iff V ♯ [2] > −∞ holds. 4 Determining Impro v ed Strategies In this section we d ev elop a metho d for compu ting local impro v emen ts o f strategies through solving S A T mo dulo real linear arithmetic form ulas. In ord er to decide, w hether or not, f or a giv en statemen t s , a given j ∈ { 1 , . . . , m } , a giv en c , and a given d ∈ R m , J s K ♯ j · d > c h olds, we constr u ct the follo wing SA T mo dulo real linear arithmetic form ula (we use existenti al quan tifiers to imp ro v e readabilit y): Φ( s, d, j, c ) : ≡ ∃ v ∈ R . Φ( s, d, j ) ∧ v > c Φ( s, d, j ) : ≡ ∃ x ∈ R n , x ′ ∈ R n . T x ≤ d ∧ Φ ( s ) ∧ v = T j · x ′ 11 Φ( s, (0 , 0) ⊤ , 1 , 0) ≡ ∃ v ∈ R . Φ( s, (0 , 0) ⊤ , 1) ∧ v > 0 Φ( s, (0 , 0) ⊤ , 1) ≡ ∃ x ∈ R 2 , x ′ ∈ R 2 . x 1 · ≤ 0 ∧ − x 1 · ≤ 0 ∧ Φ( s ) ∧ v = x ′ 1 · Φ( s ′ ) ≡ ∃ x ′′ ∈ R 2 . x 1 · ≤ 1000 ∧ x ′′ 1 · = x 1 · ∧ x ′′ 2 · = x 2 · ∧ x ′ 1 · = x ′′ 1 · ∧ x ′ 2 · = − x ′′ 1 · ≡ x 1 · ≤ 1000 ∧ x ′ 1 · = x 1 · ∧ x ′ 2 · = − x 1 · Φ( s 1 ) ≡ ∃ x ′′ ∈ R 2 . x 2 · ≤ − 1 ∧ x ′′ 1 · = x 1 · ∧ x ′′ 2 · = x 2 · ∧ x ′ 1 · = − 2 x ′′ 1 · ∧ x ′ 2 · = x ′′ 2 · ≡ x 2 · ≤ − 1 ∧ x ′ 1 · = − 2 x 1 · ∧ x ′ 2 · = x 2 · Φ( s 2 ) ≡ ∃ x ′′ ∈ R 2 . − x 2 · ≤ 0 ∧ x ′′ 1 · = x 1 · ∧ x ′′ 2 · = x 2 · ∧ x ′ 1 · = − x ′′ 1 · + 1 ∧ x ′ 2 · = x ′′ 2 · ≡ x 2 · ≤ 0 ∧ x ′ 1 · = − x 1 · + 1 ∧ x ′ 2 · = x 2 · Φ( s 1 | s 2 ) ≡ ( a 1 ∧ Φ( s 1 )) ∨ ( a 1 ∧ Φ( s 2 )) ≡ ( a 1 ∧ x 2 · ≤ − 1 ∧ x ′ 1 · = − 2 x 1 · ∧ x ′ 2 · = x 2 · ) ∨ ( a 1 ∧ x 2 · ≤ 0 ∧ x ′ 1 · = − x 1 · + 1 ∧ x ′ 2 · = x 2 · ) Φ( s ) ≡ ∃ x ′′ ∈ R 2 . Φ( s ′ )[ x ′′ /x ′ ] ∧ Φ( s 1 | s 2 )[ x ′′ /x ] ≡ x 1 · ≤ 1000 ∧ (( a 1 ∧ − x 1 · ≤ − 1 ∧ x ′ 1 · = − 2 x 1 · ∧ x ′ 2 · = − x 1 · ) ∨ ( a 1 ∧ − x 1 · ≤ 0 ∧ x ′ 1 · = − x 1 · + 1 ∧ x ′ 2 · = − x 1 · )) Figure 2: F orm ula for Example 11 Here, Φ( s ) is a form ula that relates ev ery x ∈ R n with all elemen ts f r om the set J s K { x } . It is defin ed inductive ly o v er the structure of s as follo ws: Φ( x := Ax + b ) : ≡ x ′ = Ax + b Φ( Ax ≤ b ) : ≡ Ax ≤ b ∧ x ′ = x Φ( s 1 ; s 2 ) : ≡ ∃ x ′′ ∈ R n . Φ( s 1 )[ x ′′ /x ′ ] ∧ Φ( s 2 )[ x ′′ /x ] Φ( s 1 | s 2 ) : ≡ ( a pos( s 1 | s 2 ) ∧ Φ( s 1 )) ∨ ( a pos ( s 1 | s 2 ) ∧ Φ ( s 2 )) Here, for ev ery p osition p of a sub expr ession of s , a p is a Boolean v ariable. Let Po s | ( s ) denote the s et of all p ositions of | -su bexpressions of s . The set of fr ee v ariables of the form ula Φ( s ) is { x, x ′ } ∪ { a p | p ∈ P os | ( s ) } . A v aluation for the v ariables from the set { a p | p ∈ P os | ( s ) } d escrib es a path through s . W e h a v e: Lemma 9. J s K ♯ j · d > c holds iff Φ( s, d, j, c ) is satisfiable. Our n ext goal is to compute a ∨ -strategy σ f or s suc h that J sσ K ♯ j · d > c holds, pro vided that J s K ♯ j · d > c holds. Let s b e a statemen t, d ∈ R m , j ∈ { 1 , . . . , m } , and c ∈ R . Assume that J s K ♯ j · d > c h olds. By Lemma 9, there exists a mo del M of Φ( s, d, j, c ). W e defin e the ∨ -strateg y σ M for s by σ M ( p ) := M ( a p ) for all p ∈ Pos | ( s ). By again app lying Lemma 9, w e get J sσ K ♯ j · d > c . Sum m arizing w e ha ve : Lemma 10. By solving the SA T mo d ulo r e al line ar arithmetic formula Φ( s , d, j, c ) that c an b e obtaine d fr om s in line ar time, we c an de cide, whether or not J s K ♯ j · d > c holds. F r om a mo d el M of this formula, we c an obtain a ∨ -str ate gy σ M for s such that J sσ M K ♯ j · d > c holds in line ar time. Example 11 . W e again contin ue Examp le 1 and 7. W e wa nt to kno w, whether J s K ♯ 1 · (0 , 0) ⊤ > 0 holds. F or th at we compute a mo del of the form ula Φ( s, (0 , 0) ⊤ , 1 , 0) whic h is written do wn in Figure 2. M = { a 1 7→ 1 } is a mo d el of the formula Φ( s, (0 , 0) ⊤ , 1 , 0). T h us, w e ha ve 0 < J sσ M K ♯ 1 · (0 , 0) ⊤ = J s ′ ; s 2 K ♯ 1 · (0 , 0) ⊤ b y Lemma 10. 12 It remains to compute a mo d el of Φ ( s, d, j, c ). Most of the s tate-o f-the-art SMT solv ers, as for instance Yices [14, 15], supp ort the computation of mo dels directly; if un sup- p orted, on e can compute the mo del using s tand ard self-redu ction tec hniqu es. The seman tic equations we are concerned with in the pr esent article hav e th e form x = e 1 ∨ · · · ∨ e k , where ea c h expression e i , i = 1 , . . . , k is either a constant or an expression of the form J s K ♯ j · ( x 1 , . . . , x m ). W e no w exten t our notion of ∨ -strategies in order to deal with the o ccurring righ t-hand sides: Definition 2 ( ∨ -Strategi es) . The ∨ -strategy for all constants is the 0-tuple (). The application c () of () to a co nstant c ∈ R is defined b y c () := c for all c ∈ R . A ∨ -strategy σ for an exp r ession J s K ♯ j · ( x 1 , . . . , x m ) is a ∨ -strategy for s . The applica- tion ( J s K ♯ j · ( x 1 , . . . , x m )) σ of σ to J s K ♯ j · ( x 1 , . . . , x m ) is defin ed by ( J s K ♯ j · ( x 1 , . . . , x m )) σ := J sσ K ♯ j · ( x 1 , . . . , x m ) . A ∨ -strateg y for an expression e = e 0 ∨ e 1 , , where, for eac h i ∈ { 0 , 1 } , e i is either a constan t or an expression of the form J s K ♯ j · ( x 1 , . . . , x m ), is a pair ( p, σ ), where p ∈ { 0 , 1 } and σ is a ∨ -strategy f or e p . The application e ( p, σ ) of ( p, σ ) to e = e 0 ∨ e 1 is defined by e ( p, σ ) = e p σ . A ∨ -strategy σ for a system E = { x 1 = e 1 , . . . , x n = e n } of abstract semant ic equ ations is a mappin g { x i 7→ σ i | i = 1 , . . . , n } , where σ i is a ∨ -strategy for e i for all i = 1 , . . . , n . W e set E ( σ ) := { x 1 = e 1 ( σ ( x 1 )) , . . . , x n = e n ( σ ( x n )) } . Using the same ideas as ab ov e, we can pr o v e the follo wing lemma which fin ally en ables us to use a SA T mo dulo r eal linear arithmetic solv er for impro ving ∨ -strateg ies for systems of abstract seman tic equations lo cally . Lemma 12. L et x = e b e an abstr act semantic e quation, ρ a v ariable assignment, and c ∈ R . By solving a SA T mo d ulo r e a l line ar arithmetic formula that c an b e obtaine d fr o m e , ρ and c in line ar time, we c an de cide, whether or not J e K ρ > c holds. F r om a mo del M of this formula, we c an in line ar time obtain a ∨ - str ate gy σ M for e such that J eσ M K ρ > c holds. 5 Solving Systems of Conca v e Equations In order to solve systems of abstract seman tic equations (see the end of Section 2) we generalize the ∨ -strategy impro ve ment algorithm of Ga wlitza and Seidl [21] as follo ws: Conca v e F unctions A set X ⊆ R n is called c onvex iff λx + (1 − λ ) y ∈ X holds for all x, y ∈ X and all λ ∈ [0 , 1]. A mapp ing f : X → R m with X ⊆ R n con v ex is called c onvex (resp. c onc a ve ) iff f ( λx + (1 − λ ) y ) ≤ (resp. ≥ ) λf ( x ) + (1 − λ ) f ( y ) holds f or all x, y ∈ X and all λ ∈ [0 , 1]. Note that f is conca ve iff − f is con ve x. Note also that f is con v ex (resp. conca v e) iff f i · is con v ex (resp. conca v e) for all i = 1 , . . . , m . W e extend th e notion of conv exi ty/ conca vit y from R n → R m to R n → R m as follo ws: Let f : R n → R m , and I : { 1 , . . . , n } → {−∞ , id , ∞} . Here, −∞ denotes the fun ction that assigns −∞ to ev ery argumen t, id denotes the id en tit y function, and ∞ denotes the fun ction that assigns ∞ to ev ery argum en t. W e define the mapping f ( I ) : R n → R m 13 b y f ( I ) ( x 1 , . . . , x n ) := f ( I (1)( x 1 ) , . . . , I ( n )( x n )) for all x 1 , . . . , x n ∈ R . A m ap p ing f : R n → R m is cal led c onc ave iff f i · is con tin uous on { x ∈ R n | f i · ( x ) > −∞} for all i ∈ { 1 , . . . , m } , and the follo wing conditions are fu lfilled for all I : { 1 , . . . , n } → {−∞ , id , ∞} : 1. fd om( f ( I ) ) is con ve x. 2. f ( I ) | fdom( f ( I ) ) is conca v e. 3. F or all i ∈ { 1 , . . . , m } the follo wing h olds: If there exists s ome y ∈ R n suc h that f ( I ) i · ( y ) ∈ R , then f ( I ) i · ( x ) < ∞ for all x ∈ R n . A mapping f : R n → R m is called c onvex iff − f is conca v e. In the follo wing w e are only concerned with mappings f : R n → R m that are monotone and conca v e. W e sligh tly extend the definition of conca ve equations of Ga wlitza and Seidl [21] : Definition 3 (Conca v e Equations) . An expression e (resp. equation x = e ) ov er R is called b asic c onc ave expr ession (resp. b asic c onc ave e quation ) iff J e K is monotone and conca v e. An expr ession e (r esp . equation x = e ) ov er R is called c onc ave iff e = W E , where E is a set of basic conca ve exp ressions. The cla ss of systems of conca v e equations strictly subsu mes the class o f systems of r ational e quations and ev en the class of systems of r a tional LP- e quation s as defined by Ga wlitza and Seidl [17, 22] (cf. [21]). F or this pap er it is imp ortan t to observe that ev ery system of abstract seman- tic equations (cf. Section 2) is a system of co nca ve equatio ns: F or eve ry statemen t s , th e expr ession J s K ♯ j · ( x 1 , . . . , x m ) is a conca v e expression, since (1) the expression ( J s K ♯ j · ( x 1 , . . . , x m )) σ is a basic conca v e expression for all ∨ -strategi es σ , (i.e. J sσ K ♯ j · is monotone and conca v e) and (2) the exp r ession J s K ♯ j · ( x 1 , . . . , x m ) can b e wr itten as the expression W σ ∈ Σ ( J s K ♯ j · ( x 1 , . . . , x m )) σ . Here, Σ denotes the set of all ∨ -strategies. Hence, w e can generalize the concept of ∨ -strategies as follo ws: Strategies A ∨ -str ate gy σ for E is a fu nction that m aps ev ery expr ession W E o ccur- ring in E to one of the e ∈ E . W e denote the set of all ∨ -strategie s for E by Σ E . W e drop subs cr ip ts, wheneve r they are clear from the con text. F or σ ∈ Σ, the expression eσ denotes the expression σ ( e ). Fi nally , we set E ( σ ) := { x = eσ | x = e ∈ E } . The Strategy Impro v emen t Algorithm W e briefly explain the strategy impr ov e- men t algorithm (cf. [21, 22]). It iterat es o ve r ∨ -strategies. It mainta ins a curren t ∨ -strategy and a current appr oximate to the least solution. A so-called str ate gy impr ove- ment op er ator is used for determining a next, imp ro v ed ∨ -strategy . In our application, the strategy impr o v emen t op erator is realized by a SA T mo dulo real linear arithmetic solv er (cf. Section 4 ). Whether or not a ∨ -strategy represents an impr o vement ma y dep end on the current appro ximate. It can indeed b e th e case that a switch fr om one ∨ -strategy to another ∨ -strategy is only then pr ofit able , when it is kn o wn, that the least 14 solution is of a certain size. Hence , w e talk ab out an impr o vement of a ∨ -strategy w.r.t. an appr o ximate: Definition 4 (Imp ro v emen ts) . Let E b e a system of monotone equations o v er a com- plete linear ord er ed set. Let σ, σ ′ ∈ Σ b e ∨ -strategies for E and ρ b e a p r e-solution of E ( σ ). T he ∨ -strategy σ ′ is called impr ovement of σ w.r.t. ρ iff the follo wing conditions are fulfi lled: (1) If ρ / ∈ Sol ( E ), then J E ( σ ′ ) K ρ > ρ . (2) F or all W -expressions e o ccur r ing in E the follo wing holds: If σ ′ ( e ) 6 = σ ( e ), then J eσ ′ K ρ > J eσ K ρ . A fu nction P ∨ whic h assigns an improv emen t of σ w.r.t. ρ to ev ery pair ( σ, ρ ), where σ is a ∨ -strategy and ρ is a pre-solution of E ( σ ), is called ∨ -str ate gy impr ovement op er ator . In man y cases, there exist sev eral, differen t improv emen ts of a ∨ -strategy σ w.r.t. a pre-solution ρ of E ( σ ). Accordingly , there exist sev eral, different strategy im p ro v emen t op erators. O n e p ossibilit y for improving the current strategy is known as al l pr ofitable switches [4, 5]. Carried o v er to the case considered here, this means: F or the im- pro ve ment σ ′ of σ w.r.t. ρ we hav e: J E ( σ ′ ) K ρ = J E K ρ , i.e., σ ′ represent s the b est lo cal impro ve ment of σ at ρ . W e den ote σ ′ b y P eager ∨ ( σ , ρ ) [17, 18, 19, 22]. No w we can f ormulate the strategy im p ro v emen t algorithm for compu tin g least solutions of systems of monoto ne equations o v er complete linear ordered sets. This algorithm is parameterized with a ∨ -strategy improv emen t op erator P ∨ . The inp ut is a system E of monotone equations o v er a complete linear ordered set, a ∨ -strategy σ init for E , and a p re-solution ρ init of E ( σ init ). In order to compute th e le ast and not some arbitr ary solution, we add itionally assu me that ρ init ≤ µ J E K holds: Algorithm 1 The Strategy Im pro v ement Algorithm Input :    - A system E of monotone equations o v er a complete linear order ed set - A ∨ -strategy σ init for E - A pre-solution ρ init of E ( σ init ) w ith ρ init ≤ µ J E K σ ← σ init ; ρ ← ρ init ; while ( ρ / ∈ Sol ( E )) { σ ← P ∨ ( σ , ρ ); ρ ← µ ≥ ρ J E ( σ ) K ; } return ρ ; Lemma 13. L et E b e a system of monotone e quations over a c om plete line ar or der e d set. F or i ∈ N , let ρ i b e the value of the pr o gr am variable ρ and σ i b e the value of the pr o gr am variable σ in the str ate gy impr ovement algorithm after the i -th ev aluation of the lo op-b o dy. The fol lowing statements hold for al l i ∈ N : 1. ρ i ≤ µ J E K . 2. ρ i ∈ PreSol ( E ( σ i +1 )) . 3. If ρ i < µ J E K , then ρ i +1 > ρ i . 4. If ρ i = µ J E K , then ρ i +1 = ρ i . An immediate consequence of Lemma 13 is the follo wing: When ev er the strategy im- pro ve ment algorithm terminates, it computes the least solution µ J E K of E . A t fi rst w e are in terested in solving systems of conca v e equations with finitely many strategies and finite least solutions. W e show that our strategy improv emen t algorithm terminates and th us return s the least s olution in this case at the latest after considering all strategies. F urther, w e giv e an imp ortan t c haracterization for µ ≥ ρ J E ( σ ) K . 15 F easibility In order to prov e termination we defin e the follo wing notion of feasibilit y: Definition 5 (F easibilit y ([21])) . Let E b e a system of basic conca ve equations. A finite solution ρ of E is called ( E -)fe asible iff there exists X 1 , X 2 ⊆ X and some k ∈ N such that th e follo wing statemen ts hold: 1. X 1 ∪ X 2 = X , and X 1 ∩ X 2 = ∅ . 2. Th ere exists some ρ ′ ⊳ ρ | X 1 suc h that ρ ′ ˙ ∪ ρ | X 2 is a pr e-solution of E , and ρ = J E K k ( ρ ′ ˙ ∪ ρ | X 2 ). 3. Th ere exists a ρ ′ ⊳ ρ | X 2 suc h that ρ ′ ⊳ ( J E K k ( ρ | X 1 ˙ ∪ ρ ′ )) | X 2 . A finite pre-solution ρ of E is called ( E -)fe asible iff µ ≥ ρ J E K is a feasible finite solution of E . A p r e-solution ρ ⊳ ∞ is called feasible iff e = −∞ for all x = e ∈ E with J e K ρ = −∞ , and ρ | X ′ is a feasible finite pre-solution of { x = e ∈ E | x ∈ X ′ } , where X ′ := { x | x = e ∈ E , J e K ρ > −∞} . A system E of basic conca v e equations is call ed fe asible iff there exists a feasible solution ρ of E . The follo w ing lemmas ensu r e that our strate gy impro v ement algorithm sta ys in the feasible area, whenever it is started in the feasible area. Lemma 14 ([21]) . L et E b e a system of b asic c onc ave e quations and ρ b e a fe as ible pr e- solution of E . E very pr e-solution ρ ′ of E with ρ ≤ ρ ′ ≤ µ ≥ ρ J E K is fe asible. Lemma 15 ([21]) . L et E b e a system of c onc ave e quations, σ b e a ∨ -str ate gy for E , ρ b e a fe asible solution of E ( σ ) , and σ ′ b e an impr o vement of σ w.r.t. ρ . Then ρ is a fe asible pr e- solution of E ( σ ′ ) . In order to start in the feasible area, we simp ly start the strategy improv emen t algorithm with the s y s tem E ∨ −∞ := { x = e ∨ −∞ | x = e ∈ E } , a ∨ -strategy σ init for E ∨ −∞ suc h that ( E ∨ −∞ )( σ init ) = { x = −∞ | x = e ∈ E } , and the feasible pr e-solution −∞ of ( E ∨ −∞ )( σ init ). It remains to determine µ ≥ ρ J E K . Because of Lemma 14 an d Lemma 15, we are allo w ed to assu me that ρ is a feasible pr e-solution of the system E of basic conca v e equations. Th is is imp ortant in our strategy impr o v emen t algorithm. Th e f ollo wing lemma in particular states that we hav e to compute the greatest finite p re-solution. Lemma 16 ([21 ]) . L et E b e a fe asible system of b asic c onc ave e quations with e 6 = −∞ for al l x = e ∈ E . Ther e exists a g r e atest finite pr e-solution ρ ∗ of E and ρ ∗ is the only fe asible solution of E . If ρ is a finite pr e- solution of E , then ρ ∗ = µ ≥ ρ J E K . T ermination Lemma 16 implies that our strategy imp ro v emen t algorithm has to consider eac h ∨ -strategy at most once. Thus, w e ha v e shown the follo wing theorem: Theorem 17. L et E b e a system of c onc ave e qu ations with µ J E K ⊳ ∞ . Assume that we c an c om pute the gr e atest finite pr e-solution ρ σ of e ach E ( σ ) , if E ( σ ) is fe asible. Our str ate gy impr ovement algorithm c omputes µ J E K and p erforms at most | Σ | + | X | str ate gy impr ovement steps. The algorithm in p articular terminates, whenever Σ is finite. 16 6 Computing Greatest F inite Pre-Solutions F or all systems E of abstract seman tic equations (see S ection 2) and all ∨ -strategies σ , E ( σ ) is a system of abstract semantic equations, where eac h righ t-hand side is of the form J s K ♯ j · ( x 1 , . . . , x m ), where s is a sequentia l statemen t and x 1 , . . . , x m are v ariables. W e call such a system of abstract seman tic equations a system of b asic abstr act semanti c equations. It remains to explain h o w we can compu te the greatest finite s olution of su c h a sy s tem — p ro vided that it exists. Let E b e a system of basic abstract semantic equations with a greatest finite pre- solution ρ ∗ . W e can compute ρ ∗ through linear p rogramming as follo ws: W e assu me w .l.o.g. that every sequ en tial statemen t s that o ccurs in the righ t-hand sides of E is of the form Ax ≤ b ; x := A ′ x + b ′ , wher e A ∈ R k × n , b ∈ R k , A ′ ∈ R n × n , b ′ ∈ R n . This can b e done w.l.o.g., since ev ery sequen tial statemen t can b e rewritten in to this f orm in p olynomial time. W e define th e system C of lin ear inequalities to b e the smallest set that fulfills the follo wing p r op erties: F or eac h equation x = J Ax ≤ b ; x := A ′ x + b ′ K ♯ j · ( x 1 , . . . , x m ) , the system C con tains the follo wing constraints: x ≤ T j · A ′ ( y 1 , . . . , y n ) ⊤ + T j · b ′ A i · ( y 1 , . . . , y n ) ⊤ ≤ b i for all i = 1 , . . . , k T i · ( y 1 , . . . , y n ) ⊤ ≤ x i for all i = 1 , . . . , m Here, y 1 , . . . , y n are fresh v ariables. Then ρ ∗ ( x ) = sup { ρ ( x ) | ρ ∈ Sol ( C ) } . Th us ρ ∗ can b e determined by solving | X E | linear pr ogramming problems eac h of whic h can b e constructed in linear time. W e can do ev en b etter b y determinin g an optimal s o- lution of th e linear programming problem sup n P x ∈ X E ρ ( x ) | ρ ∈ Sol ( C ) o . Then the optimal v alues for th e v ariables x ∈ X E determine ρ ∗ (cf. Ga wlitza and Seidl [ 17, 22]). Summarizing w e hav e: Lemma 18. L et E b e a system of b asic abstr act semantic e quations with a gr e at est finite pr e- solution ρ ∗ . Then ρ ∗ c an b e c ompute d by solving a line ar pr o gr a mming pr o blem that c an b e c onstr ucte d in line ar time. Example 19 . W e again use the definitions of Example 7. Consider the system E of basic abstract semantic equations that consists of the equations x 1 , 1 = J s ′ ; s 2 K ♯ 1 · ( x 1 , 1 , x 1 , 2 ) x 1 , 2 = J s ′ ; s 1 K ♯ 2 · ( x 1 , 1 , x 1 , 2 ) , where s ′ := x 1 ≤ 1000; x 2 := − x 1 , s 1 := x 2 ≤ − 1; x 1 := − 2 x 1 , and s 2 := − x 2 ≤ 0; x 1 := − x 1 + 1. Our goal is to compute the greatest finite pre-solution ρ ∗ of E . Firstly , we note th at J s ′ ; s 2 K = J x 1 ≤ 0; ( x 1 , x 2 ) := ( − x 1 + 1 , − x 1 ) K and J s ′ ; s 1 K = J ( x 1 , − x 1 ) ≤ (1000 , − 1); ( x 1 , x 2 ) := ( − 2 x 1 , − x 1 ) K hold. Accordingly , w e hav e to find an optimal solution f or the follo wing linear programming p roblem: maximize x 1 , 1 + x 1 , 2 17 x 1 , 1 ≤ − y 1 + 1 x 1 , 2 ≤ 2 y ′ 1 y 1 ≤ 0 y ′ 1 ≤ 1000 y 1 ≤ x 1 , 1 − y ′ 1 ≤ − 1 − y 1 ≤ x 1 , 2 y ′ 1 ≤ x 1 , 1 − y ′ 1 ≤ x 1 , 2 An optimal solution is x 1 , 1 = 2001, x 1 , 2 = 2000, y 1 = − 2000, and y ′ 1 = 1000. Thus ρ ∗ = { x 1 , 1 7→ 2001 , x 1 , 2 7→ 2000 } is the greatest fin ite pre-solution of E . Summarizing, w e ha v e sho wn our main theorem: Theorem 20. L et E b e a system of abstr act semantic e quations with µ J E K ⊳ ∞ . Our str ate gy impr ovement algorithm c omputes µ J E K and p erforms at most | Σ | + | X | str ate gy impr ovement steps. F or e ach str ate gy impr ovement step, we have to do the fol lowing: 1. Find mo dels for | X | SA T mo dulo r e al line a r arithmetic formulas, e ach of which c an b e c onstr ucte d in line ar time. 2. Solve a line ar pr o gr a mming pr oblem which c an b e c onstructe d in line a r time. Pr o of. The statemen t follo ws from L emm as 14, 15, 16, 18 and Theorem 17. Our tec hniques can b e extended straightfo rwardly in ord er to get rid of the pre-condition µ J E K ⊳ ∞ . Ho w ev er, for simp licit y we eschew these tec hnicalities in the present article. 7 An Upp er Bound on the Complexit y In Section 3, we hav e pro vided a lo wer b ound on the complexit y of computing abstract seman tics of affine programs w.r.t. the template linear domains. I n this section w e show that th e corresp ondin g decision problem is not only Π p 2 -hard, b ut in fact Π p 2 -complete: Theorem 21. The pr oblem of de ciding, whether or not, for a giv e n affine pr o gr a m G , a given template c onstr aint matrix T , and a gi v en pr o gr a m p oint v , V ♯ [ v ] > −∞ holds, is in Π p 2 . Pr o of. (Sketch) W e ha v e to sho w that th e p roblem of deciding, wh ether or not, for a giv en affine program G , a giv en template constrain t matrix T , a giv en program p oin t v , and a giv en i ∈ { 1 , . . . , m } , ( V ♯ [ v ]) i · = −∞ holds, is in co − Π p 2 = Σ p 2 = NP NP . In p olynomial time w e can guess a ∨ -strategy σ for E ′ := E ( G ) and compute the le a st fe asible solution ρ of E ′ ( σ ) (see Ga wlitza and Seidl [17]). Because o f Lemma 4, we can use a NP oracle to determine whether or not th ere exists an improv emen t of the strategy σ w.r.t. ρ . If this is not the case, w e kn o w th at ρ ≥ µ J E ′ K holds. Therefore, b y Lemma 6 , w e ha v e ρ ( x v,i ) ≥ ( V ♯ [ v ]) i · . Thus we can accept, whenev er ρ ( x v,i ) = −∞ holds. Finally , we giv e an example wh ere our strategy impro ve ment algorithm p erforms exp o- nen tially man y strategy improv emen t steps. It is similar to the program in the pro of of Theorem 8 . F or all n ∈ N , w e consider the pr ogram G n = ( N , E , st ), where N = { st , 1 } , E = { ( st , x 1 := 0; y 1 := 1; y 2 := 2 y 1 ; . . . ; y n := 2 y n − 1 , 1) , (1 , s , 1) } , and s = x 2 := x 1 ; ( x 2 ≥ y n ; x 2 := x 2 − y n | x 2 ≤ y n − 1); · · · ( x 2 ≥ y 1 ; x 2 := x 2 − y 1 | x 2 ≤ y 1 − 1); x 1 := x 1 + 1 . 18 It is s ufficien t to use a template constrain t matrix that corresp onds to the in terv al d o- main. It is remark ab le that the strateg y iteration do es not dep end on the strategy impro ve ment op erator in use. A t an y time there is exactly one p ossible impro v ement unt il the lea st solution is reac hed. All strateg ies for the stat ement s will b e encoun- tered. Thus, the strategy impr o v emen t algo rithm p erf orm s 2 n strategy impr o v emen t steps. Since the size of G n is Θ ( n ), exp on entially many strategy improv emen t s teps are p erformed. 8 Conclusion W e p resen ted an extension of the strategy impro ve ment algo rithm of Ga wlitza and Seidl [17, 18, 21] whic h enables us to use a S A T mo du lo r eal linear arithmetic solv er for determining im p ro v emen ts of strategies w.r.t. current appro ximates. Due to this extension, w e are able to compute abstr act seman tics of affin e programs w .r.t. the template linear constraint domains of S ank a ranaray anan et al. [42], where we abstr act sequences of if-then-else statemen ts without loops e n bloc. Th is giv es us additional precision. Additionally , W e provided one of the few “hard” complexit y results regarding precise abstract interpretatio n. It remains to practically ev a luate the present ed approac h and to compare it sys- tematica lly with other appr oac hes. Besides this, s tarting from the present work, there are several directions to explore. On e can for instance tr y to apply the same ideas for non-linear templates [21], or to use linearization tec hniques [35]. References [1] A. Adj ´ e, S. Gaub ert, and E. Goub au lt. C omputing the smallest fixed p oin t of nonexpansive mappings arising in game theory a nd sta tic a nalysis of programs. ArXiv e-prints , Jun e 2008. 0806.11 60v2 . [2] Assal ´ e Adj´ e, Stephane Gaub ert, and Eric Goub ault. Coupling p olicy iteration with semi-definite r elaxation to compute accurate numerical inv arian ts in static analysis. In Andrew D. Gord on , editor, ESOP , v olume 6012 of LN CS , pages 23–42. S p ringer, 2010. ISBN 978-3-642 -11956-9 . [3] Thomas Ball and Rob er t B. Jones, editors. Computer Aide d V erific ation (CA V) , v olume 4144 of LNCS , 2006. Sp ringer. ISBN 3-540-374 06-X . [4] H. Bj¨ orklund, S. Sandb erg, and S. V orob y o v. O ptimization on completely un imo dal h yp ercu b es. T ec hnical r ep ort 2002-18, Upp s ala Univ ersit y , 2002. [5] Henrik Bjorklu nd, Sv en Sandb erg, and Sergei V oroby o v. Complexit y of Mo d el Chec king b y Iterativ e Improv emen t: the Pseudo-Bo olean F r amew ork . I n Pr o c. 5th Int. Andr ei Ershov Memorial Conf. Persp e ctives of System Informatics , p ages 381–3 94. LNC S 2890, Sprin ger, 2003. doi: 10.1007 /978-3-5 40-39866-0 38. 19 [6] Bruno Blanc het, Pat rick Cou s ot, Radhia C ousot, J ´ erˆ ome F eret, Laurent Maub orgne, Ant oine Min´ e, Davi d Monniaux, and Xavie r Riv al. A static an- alyzer for large safet y-critical s oft w are. In Pr o gr amming L anguage Desig n and Implementation (PLDI) , pages 196–20 7. A CM, 2003. ISBN 1-58113 -662-5 . doi: 10.114 5/78113 1.781153 . [7] Jean Co chet-T errasson, St ´ ephane Gaub ert, and Jerem y Guna w ardena. A Con- structiv e Fixed Poin t Theorem for Min-Max F unctions. Dynamics and Stability of Systems , 14(4):407– 433, 1999. [8] Mic hael A. C ol´ on, Sriram Sank aranara y anan, and Henny S ipma. Linear inv arian t generation using non-linear constraint solving. In Com puter Aide d V erific ation (CA V) , num b er 2725 in LNCS, p ages 420–43 3. Sprin ger, 2003. IS BN 3-540-40 524-0 . doi: 10.1007 /b11831 . [9] Alexandru Costa n, Stephane Gaub er t, Eric Goub ault, Matthieu Martel , and Sylvie Putot. A P olicy Iteration Algorithm for Computing Fixed P oint s in Static Analysis of Programs. In Computer A ide d V e rific ation, 17th Int. Conf. (CA V) , pages 462–475. LNCS 3576, Sprin ger V erlag, 2005. ISBN 3-540-2723 1-3 . doi: 10.100 7/11513 988 46. [10] Patric k Cousot. Proving program inv ariance and termination by parametric ab- straction, Lagrangian r elaxatio n and semidefin ite p rogramming. In R ad h ia C ousot, editor, V erific ation, Mo del Che cking and Abstr act Interpr etation (VM CAI) , num- b er 338 5 in LNCS, pages 1–24. Springer, 2005. I SBN 3-540-2429 7-X . doi: 10.100 7/b105073 . [11] Patric k Cousot and Radhia Cousot. S tatic Determination of Dynamic Prop erties of Programs. In Se c ond Int. Symp. on Pr o gr amming , p ages 106– 130. Duno d, Pa ris, F rance, 1976. [12] Patric k Cousot and Radhia Cousot. Abstract interpretation: A unifi ed lattice mo del f or static analysis of programs by construction or app ro ximation of fixp oints. In POP L , pages 238–2 52, 1977. doi: 10.1145/ 512950.512973 . [13] Patric k Cousot and Nicolas Halbw ac hs. Automatic disco ve ry of linear re- strain ts among v ariables of a p rogram. In POPL , page s 84– 96, 1978. d oi: 10.114 5/51276 0.512770 . [14] Bru no Dutertre and Leonardo de Moura. The Yices SMT solv er. T o ol p ap er at http://y ices.csl. sri.com/tool- pa per.pdf , August 2006 . [15] Bru no Dutertre an d Leonardo Mendon¸ ca d e Moura. A fast lin ear-arithmetic solv er for DPLL(T). In Ba ll and Jones [3], pages 81–94. ISBN 3-540-3 7406-X . d oi: 10.100 7/11817 963 11. 20 [16] S tephane Gaub ert, E r ic Goubault, Ankur T aly , and Sarah Zenn ou. Static analysis b y p olicy ite ration on relational domains. In Nicola [38], pages 237–2 52. ISBN 978-3 -540-7131 4-2 . [17] T h omas Ga wlitza and Helmut Seidl. Precise relational inv ariants thr ou gh strategy iteration. I n Jacques Duparc and Thomas A. Henzinger, editors, CSL , volume 4646 of LNCS , pages 23–40. Sp ringer, 2007. ISBN 978-3- 540-7491 4-1 . [18] T h omas Ga wlitza and Helm ut Seidl. Precise fixp oin t computation through strategy iteration. In Nicola [38], pages 300–3 15. ISBN 978-3-540 -71314-2 . [19] T h omas Ga wlitza and Helm ut Seidl. Precise inte rv al analysis vs. parit y games. In Jorge C u ´ ellar, T. S. E. Maibaum, and Kaisa Sere, editors, FM , volume 5014 of LNCS , pages 342–357 . Sp ringer, 2008. ISBN 978-3-5 40-6823 5-6 . [20] T h omas Ga wlitza, J´ erˆ ome L er ou x , Jan Reineke, Helm ut Seidl, Gr´ egoire Sutre, and Reinh ard Wilhelm. P olynomial precise int erv al analysis revisited. In Susanne Alb ers, Helm ut Alt, and Stefan N¨ aher, editors, Efficient Algorithm s , v olume 5760 of LNCS , pages 422–437. Sp ringer, 2009. ISBN 978-3- 642-0345 5-8 . [21] T h omas Martin Ga wlitza and Helm ut Seidl. Compu ting relaxed abstract semant ics w.r.t. quadratic zones precisely . In SAS , v olume 6337 of LNCS , pages 271 –286. Springer, 2010. IS BN 3-642-157 68-8 . doi: 10.1 007/978- 3-642-15769-1 17. [22] T h omas Martin Ga wlitza and Helm ut S eidl. S olving s y s tems of rational equations through strategy iteration. T ec hnical rep ort, TUM, 2009. [23] Laur e Gonnord. A c c el´ er a tion abstr aite p our l’am ´ elior ation de la pr ´ ecision en anal- yse des r elat ions lin ´ eair es . PhD thesis, Universit ´ e Joseph F ourier, Octob er 2007. URL htt p://tel.a rchives- ouvertes.fr /tel- 00196899/en/ . [24] Laur e Gonnord and Nicolas Halb w ac hs. Com bining widening and accel eration in linear relation analysis. In Kwangk eun Yi, editor, SAS , vo lume 41 34 of LNCS , pages 144–160. Sprin ger, 2006. ISBN 3-540-377 56-5 . [25] Denis Gopan and T homas W. Reps. Lo ok ahead w idening. In Ball and Jones [3], pages 452–466. ISBN 3-540-374 06-X . d oi: 1 0.1007/1 1817963 41. [26] H. G. Rice. C lasses of recurs iv ely en umerable sets and their d ecision problems. In T r ansactions of the Americ an Mathematic al So ciety , v olume 74, p ages 358–366. AMS, 1953. [27] Nicolas Halb wac h s. Dela y analysis in sync hronous pr ograms. I n Costas Cour- coub etis, editor, Computer Aide d V erific ation (CA V ) , vo lume 697 of LNCS , pages 333–3 46. S pringer, 1993. IS BN 3-540-5 6922-7 . doi: 10.100 7/3-540- 56922-7 28. [28] A.J. Hoffman an d R.M. Karp . On Non terminating Sto c hastic Games. Management Sci. , 12:359–37 0, 1966. 21 [29] R. Ho w ard. D ynamic Pr o gr amming and Markov Pr o c esses . Wi ley , NY, 1960. [30] J er emy Lecon te, S tephane Le Roux, Leo Lib erti, and F abrizio Marinelli. Co de v erification b y static analysis: a mathematical pr ogramming approac h. T ec hnical rep ort, L I X, Ecole P olytec hnique, Pal aiseau, August 2009. [31] J´ erˆ ome Leroux and Gr´ egoire Sutre. Acce lerated d ata-flo w analysis. In Static Ana lysis (SAS) , volume 4634 of LNCS , p ages 184–1 99. Spr inger, 2007. doi: 10.100 7/s10009 -008-0064-3 . [32] Nimr o d Megiddo. O n the Comp lexity of Linear P r ogramming. In T. Bewley , editor, A dvanc es in Ec onomic The ory: 5th World Congr ess , page s 225–2 68. Cam bridge Univ ersit y Press, 1987. [33] Antoine Min´ e. A n ew numerical abstract domain based on difference-b ound matri- ces. In Olivier Dan vy and Andrzej Filinski, editors, P ADO , volume 2053 of LNCS , pages 155–172. Sprin ger, 2001. ISBN 3-540-420 68-1 . [34] Antoine Min ´ e. Th e o ctagon abstract d omain. In WCRE , pages 310–, 2001. [35] Antoine Min ´ e. Domaines num´ eriques abstr aits faiblement r elation nels . PhD th esis, ´ Ecole p olytec hnique, 2004. [36] Davi d Monniaux. A qu an tifier elimination algorithm f or linear real arithmetic. In Iliano C erv esato, Helm ut V eith, and Andrei V oronko v, editors, LP AR , v olume 5330 of LNCS , pages 243–257. Sp ringer, 2008. ISBN 978-3- 540-8943 8-4 . [37] Davi d Monniaux. Automatic m o d ular abstractions for linear constrain ts. In Zh on g Shao and Benjamin C . Pierce, editors, PO P L , pages 140–151. A CM, 2009. IS BN 978-1 -60558-37 9-2 . [38] Ro cco De Nicola, editor. Pr o gr am ming L anguages and Systems, ESOP 2007, Br aga, Portugal, Mar ch 24 - April 1, 2007, Pr o c e e dings , vo lume 4421 of LNCS , 20 07. Springer. ISBN 978-3-540- 71314-2 . [39] Anuj Puri. The ory of H ybrid and Discr ete Systems . PhD thesis, Univ ersit y of California, Berkele y , 1995. [40] Martin L. Puterman. Markov De cision Pr o c esses: D i scr ete Sto chastic Dynamic Pr o gr am ming . Wiley , New Y ork, 1994 . [41] S riram Sank aranara y anan, Henny Sipma, and Z ohar Manna. Constrain t-based linear-relations analysis. In Static Analysis (SAS) , n um b er 3148 in LNCS, pages 53–68 . S pringer, 2004. d oi: 10.10 07/b99688 . [42] S riram Sank aranara y anan, Henn y B. S ipma, and Zohar Manna. S calable analysis of linear systems using mathematical programming. In Radh ia Cousot, editor, VMCAI , v olume 3385 of LNCS , pages 25–41. Spr in ger, 2005. ISBN 3-540-242 97-X . 22 [43] Alexandeer S c hrijve r. The ory of line ar and inte ger pr o gr amming . John Wiley & Sons, I n c., New Y ork, NY, USA, 1986. ISBN 0-471-9 0854-1 . [44] Larr y J. Sto ckmey er. The p olynomial-time hierarc hy . The or etic al Computer Sci- enc e , 3(1):1 –22, Octob er 1976. doi: 10.1016/ 0304-39 75(76)90061-X . [45] J en s V¨ oge and Marcin Ju rdzi ´ nski. A Discrete Strategy Impro v ement Algorithm for Solving P arit y Games. In Computer Aide d V erific ation, 12th Int. Conf. (CA V) , pages 202–215. LNCS 1855, Sp ringer, 2000. [46] C elia W rathall. Comp lete sets and the p olynomial-time hierarch y . The or. Comput. Sci. , 3(1):23–33 , 197 6. doi: 10.1 016/030 4-3975(76)90062-1 . 23