\provide@command\G\renew@command\G

G \provide@command\C \renew@command\C C

¹¹institutetext: Helmut Seidl ²²institutetext: Julian Erhard ³³institutetext: Sarah Tilscher ⁴⁴institutetext: Michael Schwarz ⁵⁵institutetext: Technische Universität München, Garching, Germany
⁵⁵email: {helmut.seidl, julian.erhard, sarah.tilscher, m.schwarz}@tum.de

Non-Numerical Weakly Relational Domains

Helmut Seidl Julian Erhard Sarah Tilscher Michael Schwarz

(January 10, 2024)

Abstract

The weakly relational domain of Octagons offers a decent compromise between precision and efficiency for numerical properties. Here, we are concerned with the construction of non-numerical relational domains. We provide a general construction of weakly relational domains, which we exemplify with an extension of constant propagation by disjunctions. Since for the resulting domain of 2-disjunctive formulas, satisfiability is NP-complete, we provide a general construction for a further, more abstract weakly relational domain where the abstract operations of restriction and least upper bound can be efficiently implemented.

In the second step, we consider a relational domain that tracks conjunctions of inequalities between variables, and between variables and constants for arbitrary partial orders of values. Examples are sub(multi)sets, as well as prefix, substring or scattered substring orderings on strings. When the partial order is a lattice, we provide precise polynomial algorithms for satisfiability, restriction, and the best abstraction of disjunction. Complementary to the constructions for lattices, we find that, in general, satisfiability of conjunctions is NP-complete. We therefore again provide polynomial abstract versions of restriction, conjunction, and join. By using our generic constructions, these domains are extended to weakly relational domains that additionally track disjunctions.

For all our domains, we indicate how abstract transformers for assignments and guards can be constructed.

Keywords:

weakly relational domains, 2-decomposable relational domains, 2-disjunctive constants, directed domains

1 Introduction

Relational analyses have been observed to be indispensable for verifying intricate program properties. In particular, this is the case when for the purpose of verification, ghost variables have been introduced which must be related to program variables. Termination may be verified by introducing a ghost loop counter, which can be proven bounded by a relational domain relating it to the actual bounded iteration variable Albert et al. (2014). The validity of string operations on null-terminated strings as employed, e.g., in the programming language C, may be verified by introducing ghost variables for the length of a buffer as well as for tracking the position of the null byte in the buffer Dor et al. (2001). It also has been observed that monolithic relational domains such as the polyhedra abstract domain Cousot and Halbwachs (1978) scale badly to larger programs. Therefore, weakly relational domains have been proposed which can only express simple relational properties, but have the potential to scale better Miné (2004). Examples of weakly relational numerical properties are the Two Variables Per Inequality domain Simon et al. (2002), or domains given by a finite set of linear templates Sankaranarayanan et al. (2005). The most prominent example of a template numerical domain is the Octagon domain Miné (2001, 2006) which allows tracking upper and lower bounds not only of program variables but also of sums and differences of two program variables. One such octagon abstract relation could, e.g., be given by the conjunction

(-x\leq-5)\wedge(x\leq 10)\wedge(x+y\leq 0)\wedge(x-z\leq 1)

Octagons thus can be considered as a mild extension of the non-relational domain of Intervals for program variables, and a variety of efficient algorithms have been provided Bagnara et al. (2008, 2009); Chawdhary et al. (2019); Schwarz and Seidl (2023). Here, we are concerned with constructing non-numerical abstract domains.

For that, we provide a general technique to construct from every relational domain a weakly relational domain. As one instance of the general construction, we consider 2-disjunctive constants as mentioned in Schwarz et al. (2023). This weakly relational domain allows, e.g., to relate the names of functions with function pointers as in the formula

x=\textsf{"foo"}\wedge y=\&\textsf{foo}\;\vee\;x=\textsf{"bar"}\wedge y=\&% \textsf{bar}

Since satisfiability of formulas from that domain turns out to be NP-complete, we provide a further mild abstraction, again for arbitrary relational domains, to provide us with a weakly relational domain where all required operations become tractable.

Another family of relational non-numerical domains has been introduced by Arceri et al. (2022). Based on a partial order of values, conjunctions of ordering constraints $x\sqsubseteq y$ for program variables $x,y$ are considered. They observe that analyses of prefixes or the substring relation could be helpful for programs in programming languages supporting high-level operations on strings. Here, we study this kind of directed domains in greater detail. For conjunctions of inequalities over some partial order $P$ , we extend the constraints from Arceri et al. (2022) by allowing for variables both lower and upper bounds from $P$ . For arbitrary partial orders, though, we find that then satisfiability is NP-complete. Partial orders $p$ that are lattices form a notable exception. An instance of this are subsets of some universe or multisets. For lattices, we show that satisfiability is decidable in polynomial time. Moreover, we provide polynomial constructions both for restriction as well as the optimal join operation. Turning to general partial orders of values, we thus cannot hope for polynomial algorithms. Therefore, we provide a meaningful abstraction so that both abstract restriction as well as join is again polynomial. This family of relational domains is already weakly relational. Still, our generic constructions can be applied to obtain more expressive weakly relational domains that additionally support disjunctions at a limited amount of extra costs.

The paper is organized as follows: Section 2 provides background definitions on relational domains. It formally introduces our notion of weakly relational domains and provides a general construction of weakly relational domains. Section 3 is dedicated to disjunctive constants. When applying the generic construction from the last section to this relational domain, the weakly relational domain of 2-disjunctive constants is obtained. Here, we prove that satisfiability for these formulas still is NP-complete. Therefore, a generic abstraction technique is presented so that, when applied to disjunctive constants, normalization, projection, as well as least upper bounds all turn out to be polynomial time.

Finally, abstract transformers for assignments as well as guards are derived. Section 4 then introduces directed domains which do not track equalities but inequalities over a partial order of values. While the first subsection provides polynomial constructions for the case that the partial order for values is a lattice, the second subsection is concerned with arbitrary partial orders as value domain. Since satisfiability, in general, turns out to be NP-complete, again a polynomial abstraction is provided. In a further subsection, we indicate how the generic constructions from the last sections provide us with weakly relational domains that additionally support disjunctions of inequalities. We exemplify the resulting domains with conjunctions and disjunctions of inequalities over the integers. In the final subsection, dedicated abstract transformers are constructed for assignments, while the last subsection discusses the treatment of guards. Section 5 summarizes the contributions and sketches further directions of research.

2 Weakly Relational Domains

Let us recall basic definitions for relational domains. We mostly follow the notation used in previous work Schwarz et al. (2023), where the notion of $2$ -decomposability has been introduced. Let ${\mathcal{}X}$ be some finite set of variables. A relational domain ${\mathcal{}R}$ maintains relations between variables in ${\mathcal{}X}$ . We require that a relational domain is a bounded lattice, i.e., has a partial order $\sqsubseteq$ , a least element $\bot$ , a greatest element $\top$ , as well as binary operators for the greatest lower bound (meet) $\sqcap$ and the least upper bound (join) $\sqcup$ . We do not demand relational domains to be complete lattices, i.e., to provide for every subset of elements a least upper bound: the polyhedral domain, e.g., is not complete Cousot and Halbwachs (1978). However, we demand that a relational domain supports the following monotonic operations:

\begin{array}[]{rcl}\llbracket x\,{:=}\,e\rrbracket^{\sharp}&:&{\mathcal{}R}% \to{\mathcal{}R}\text{ (assignment of $e$ to $x$)}\\ {\left.\kern-1.2pt\cdot\vphantom{|}\right|_{Y}}&:&{\mathcal{}R}\to{\mathcal{}R% }\text{ (restriction to $Y\subseteq{\mathcal{}X}$)}\\ \llbracket?c\rrbracket^{\sharp}&:&{\mathcal{}R}\to{\mathcal{}R}\text{ (guard % for condition $c$)}\end{array}

where $e$ and $c$ are from some expression and condition language, respectively.

The abstract transformers for basic actions of programs are given by these functions. Restricting a relation $r$ to a subset $Y$ of variables amounts to forgetting all information about variables in ${\mathcal{}X}\setminus Y$ . Thus, we require that

\begin{array}[]{lll}{\left.\kern-1.2ptr\vphantom{|}\right|_{{\mathcal{}X}}}&=&% r\\ {\left.\kern-1.2ptr\vphantom{|}\right|_{\emptyset}}&=&\left\{\begin{array}[]{% ll}\bot&\text{if}\;r=\bot\\ \top&\text{otherwise}\end{array}\right.\\ {\left.\kern-1.2ptr\vphantom{|}\right|_{Y_{1}}}&\sqsupseteq&{\left.\kern-1.2% ptr\vphantom{|}\right|_{Y_{2}}}\qquad\text{when}\;Y_{1}\subseteq Y_{2}\\ {\left.\kern-1.2pt({\left.\kern-1.2ptr\vphantom{|}\right|_{Y_{1}}})\vphantom{|% }\right|_{Y_{2}}}&=&{\left.\kern-1.2ptr\vphantom{|}\right|_{Y_{1}\cap Y_{2}}}% \end{array}

(1)

A restriction ${\left.\kern-1.2pt\cdot\vphantom{|}\right|_{Y}}$ to some set $Y$ therefore is an idempotent operation. We remark that from these axioms it follows that ${\left.\kern-1.2pt\bot\vphantom{|}\right|_{Y}}=\bot$ and ${\left.\kern-1.2pt\top\vphantom{|}\right|_{Y}}=\top$ for any $Y\subseteq{\mathcal{}X}$ . Given that there is some relation $r_{c}\in{\mathcal{}R}$ describing all states satisfying the condition $c$ , the transformation for the guard $?c$ can be described by

\llbracket?c\rrbracket^{\sharp}r=r\sqcap r_{c}

(2)

– at least, if there is a concretization function $\gamma$ such that

\gamma\,(r_{1}\sqcap r_{2})=\gamma\,r_{1}\cap\gamma\,r_{2}

(3)

i.e., the binary meet operation is precise.

Example 1

For numerical variables, a variety of such relational domains have been proposed, e.g., (conjunctions of) affine equalities Karr (1976); Müller-Olm and Seidl (2004, 2007) or affine inequalities Cousot and Halbwachs (1978). For affine equalities or inequalities, restriction to a subset of $Y$ of variables corresponds to the geometric projection onto the subspace defined by $Y$ , combined with arbitrary values for variables $z\not\in Y$ . ∎

One way to tackle the high cost of relational domains is to track the relationships not between all variables, but only between subclusters of variables. We call such domains Weakly Relational Domains.

For a subset $Y\subseteq{\mathcal{}X}$ , let ${\mathcal{}R}^{Y}=\{{\left.\kern-1.2ptr\vphantom{|}\right|_{Y}}\mid r\in{% \mathcal{}R}\}$ be the set of all abstract values from ${\mathcal{}R}$ that contains only information on those variables in $Y$ . For any collection ${\mathcal{}S}\subseteq 2^{{\mathcal{}X}}$ of clusters of variables, a relation $r\in{\mathcal{}R}$ can be approximated by a meet of relations from ${\mathcal{}R}^{Y},Y\in\mathcal{}S$ since for every $r\in{\mathcal{}R}$ ,

r\sqsubseteq\bigsqcap_{Y\in\mathcal{S}}{\left.\kern-1.2ptr\vphantom{|}\right|_% {Y}}

(4)

holds, as $r\sqsubseteq{\left.\kern-1.2ptr\vphantom{|}\right|_{Y}}$ holds for each $Y\in S$ . In fact, the right-hand side of (4) is the best approximation of $r$ by some meet over abstract relations $s_{Y},Y\in{\mathcal{}S},$ with $s_{Y}\in{\mathcal{}R}^{Y}$ , i.e., with ${\left.\kern-1.2pts_{Y}\vphantom{|}\right|_{Y}}=s_{Y}$ , since

\begin{array}[]{lcl}{\left.\kern-1.2ptr\vphantom{|}\right|_{Y}}&\sqsubseteq&{% \left.\kern-1.2pt(\bigsqcap{Y^{\prime}\in{\mathcal{}S}}s_{Y^{\prime}})% \vphantom{|}\right|_{Y}}\\ &\sqsubseteq&{\left.\kern-1.2pts_{Y}\vphantom{|}\right|_{Y}}\qquad\qquad\quad% \text{(by monotonicity of restriction)}\\ &=&s_{Y}\end{array}

holds for all $Y\in{\mathcal{}S}$ .

Schwarz et al. (2023) have introduced $2$ -decomposable relational domains. These are domains where the full value $r$ can be recovered from the restrictions of $r$ to all clusters $p$ from the set $\mathcal{S}=[{\mathcal{}X}]_{2}$ of non-empty clusters of variables of size at most $2$ . Furthermore, Schwarz et al. (2023) ask for binary least upper bounds to be determined by computing within these clusters only. More precisely, this amounts to requiring the following two properties

	$\displaystyle r=$	$\displaystyle\bigsqcap_{p\in[{\mathcal{}X}]_{2}}{\left.\kern-1.2ptr\vphantom{\|% }\right\|_{p}}$			(5)
	$\displaystyle{\left.\kern-1.2pt\left(r_{1}\sqcup r_{2}\right)\vphantom{\|}% \right\|_{p}}=$	$\displaystyle{\left.\kern-1.2ptr_{1}\vphantom{\|}\right\|_{p}}\sqcup{\left.\kern% -1.2ptr_{2}\vphantom{\|}\right\|_{p}}\qquad(p\in[{\mathcal{}X}]_{2})$			(6)

to hold for all abstract relations $r,r_{1},r_{2}\in{\mathcal{}R}$ . The most prominent example of a $2$ -decomposable domain is the octagon domain Miné (2001) – either over rationals or integers, while affine equalities or affine inequalities are examples of domains that are not $2$ -decomposable.

Any relational domain ${\mathcal{}R}$ , however, which satisfies (6) gives rise to a 2-decomposable domain ${\mathcal{}R}_{2}$ of its 2-cluster approximations.

For $r\in{\mathcal{}R}$ , let $\overline{r}=\bigsqcap_{p\in[{\mathcal{}X}]_{2}}{\left.\kern-1.2ptr\vphantom{|% }\right|_{p}}$ denote the approximation of $r$ by the meet of its restrictions to clusters $p\in[{\mathcal{}X}]_{2}$ . Let ${\mathcal{}R}_{2}$ denote the subset of ${\mathcal{}R}$ of all abstract relations of the form $\overline{r},r\in{\mathcal{}R}$ , where the ordering is inherited from ${\mathcal{}R}$ . In particular, $\bot$ as well as $\top$ from ${\mathcal{}R}$ are also in ${\mathcal{}R}_{2}$ .

Theorem 2.1

Assume that ${\mathcal{}R}$ is an abstract relational domain which satisfies (6). Then the following holds:

1.

$r=\overline{r}$ for all conjunctions $r=\bigsqcap_{p\in[{\mathcal{}X}]_{2}}s_{p}$ with $s_{p}\in{\mathcal{}R}^{p},p\in[{\mathcal{}X}]_{2}$ , i.e., all such conjunctions are contained in ${\mathcal{}R}_{2}$ .
2.

For $r_{1},r_{2}\in{\mathcal{}R}_{2}$ , the abstract relation $r_{1}\sqcap r_{2}$ , as provided by ${\mathcal{}R}$ , is in ${\mathcal{}R}_{2}$ .

The binary least upper bound operation in ${\mathcal{}R}_{2}$ exists and is given by

r_{1}\sqcup_{2}r_{2}=\bigsqcap_{p\in[{\mathcal{}X}]_{2}}({\left.\kern-1.2ptr_{% 1}\vphantom{|}\right|_{p}}\sqcup{\left.\kern-1.2ptr_{2}\vphantom{|}\right|_{p}})

For ${\mathcal{}R}_{2}$ , the best approximation ${\left.\kern-1.2ptr\vphantom{|}\right|_{Y,2}}$ to the restriction ${\left.\kern-1.2ptr\vphantom{|}\right|_{Y}}$ of $r\in{\mathcal{}R}_{2}$ onto some subset $Y\subseteq{\mathcal{}X}$ of variables is given by

{\left.\kern-1.2ptr\vphantom{|}\right|_{Y,2}}=\bigsqcap_{p\in[{\mathcal{}X}]_{% 2}}{\left.\kern-1.2ptr\vphantom{|}\right|_{p\cap Y}}

5.

the partial order ${\mathcal{}R}_{2}$ with the given binary greatest lower and least upper bounds is a 2-decomposable relational domain.

Proof

For a proof of statement (1), we first observe that for each $p\in[{\mathcal{}X}]_{2}$ ,

{\left.\kern-1.2ptr\vphantom{|}\right|_{p}}={\left.\kern-1.2pt\left(\bigsqcap_% {p\in[{\mathcal{}X}]_{2}}s_{p}\right)\vphantom{|}\right|_{p}}\sqsubseteq{\left% .\kern-1.2pts_{p}\vphantom{|}\right|_{p}}=s_{p}

by monotonicity and idempotence of restriction. Thus,

r\sqsubseteq\overline{r}=\bigsqcap_{p\in[{\mathcal{}X}]_{2}}{\left.\kern-1.2% ptr\vphantom{|}\right|_{p}}\sqsubseteq\bigsqcap_{p\in[{\mathcal{}X}]_{2}}s_{p}=r

where the first inequality follows from Eq. 4. Thus, statement (1) follows.

For a proof of statement (2), consider elements $r,s\in{\mathcal{}R}_{2}$ . Then

r\sqcap s=\bigsqcap_{p\in[{\mathcal{}X}]_{2}}{\left.\kern-1.2ptr\vphantom{|}% \right|_{p}}\sqcap\bigsqcap_{p\in[{\mathcal{}X}]_{2}}{\left.\kern-1.2pts% \vphantom{|}\right|_{p}}=\bigsqcap_{p\in[{\mathcal{}X}]_{2}}({\left.\kern-1.2% ptr\vphantom{|}\right|_{p}}\sqcap{\left.\kern-1.2pts\vphantom{|}\right|_{p}})

Now, we claim that for every $p\in[{\mathcal{}X}]_{2}$ ,

{\left.\kern-1.2ptr\vphantom{|}\right|_{p}}\sqcap{\left.\kern-1.2pts\vphantom{% |}\right|_{p}}={\left.\kern-1.2pt({\left.\kern-1.2ptr\vphantom{|}\right|_{p}}% \sqcap{\left.\kern-1.2pts\vphantom{|}\right|_{p}})\vphantom{|}\right|_{p}}

To prove the claim, we argue that

\begin{array}[]{lcl@{\quad}l}{\left.\kern-1.2ptr\vphantom{|}\right|_{p}}\sqcap% {\left.\kern-1.2pts\vphantom{|}\right|_{p}}&\sqsubseteq&{\left.\kern-1.2pt({% \left.\kern-1.2ptr\vphantom{|}\right|_{p}}\sqcap{\left.\kern-1.2pts\vphantom{|% }\right|_{p}})\vphantom{|}\right|_{p}}&\text{(by monotonicity)}\\ &\sqsubseteq&{\left.\kern-1.2pt({\left.\kern-1.2ptr\vphantom{|}\right|_{p}})% \vphantom{|}\right|_{p}}\sqcap{\left.\kern-1.2pt({\left.\kern-1.2pts\vphantom{% |}\right|_{p}})\vphantom{|}\right|_{p}}&\text{(by monotonicity)}\\ &=&{\left.\kern-1.2ptr\vphantom{|}\right|_{p}}\sqcap{\left.\kern-1.2pts% \vphantom{|}\right|_{p}}&\text{(by idempotence)}\end{array}

and the claim follows. So far, we have proven that

r\sqcap s=\bigsqcap_{p\in[{\mathcal{}X}]_{2}}t_{p}

for some $t_{p}\in{\mathcal{}R}^{p}$ , $p\in[{\mathcal{}X}]_{2}$ . Then, statement (2) follows from statement (1).

For a proof of statement (3), we note that any upper bound of $r_{1},r_{2}$ in ${\mathcal{}R}_{2}$ is also an upper bound of $r_{1}\sqcup r_{2}$ in ${\mathcal{}R}$ . Therefore, the least upper bound od $r_{1},r_{2}$ in ${\mathcal{}R}_{2}$ is given by $\overline{r_{1}\sqcup r_{2}}$ . We calculate:

\begin{array}[]{lll@{\quad}l}\overline{r_{1}\sqcup r_{2}}&=&\bigsqcap_{p\in[{% \mathcal{}X}]_{2}}{\left.\kern-1.2pt(r_{1}\sqcup r_{2})\vphantom{|}\right|_{p}% }&\text{(by definition)}\\ &=&\bigsqcap_{p\in[{\mathcal{}X}]_{2}}({\left.\kern-1.2ptr_{1}\vphantom{|}% \right|_{p}}\sqcup{\left.\kern-1.2ptr_{2}\vphantom{|}\right|_{p}})&\text{(by % \eqref{def:decomp2})}\end{array}

and statement (3) follows.

The best approximation of ${\left.\kern-1.2ptr\vphantom{|}\right|_{Y}}$ in ${\mathcal{}R}_{2}$ is given by $\overline{{\left.\kern-1.2ptr\vphantom{|}\right|_{Y}}}$ . Thus, we have

{\left.\kern-1.2ptr\vphantom{|}\right|_{Y,2}}=\bigsqcap_{p\in[{\mathcal{}X}]_{% 2}}{\left.\kern-1.2pt({\left.\kern-1.2ptr\vphantom{|}\right|_{Y}})\vphantom{|}% \right|_{p}}=\bigsqcap_{p\in[{\mathcal{}X}]_{2}}{\left.\kern-1.2ptr\vphantom{|% }\right|_{Y\cap p}}=\bigsqcap_{p\in[{\mathcal{}X}]_{2}}{\left.\kern-1.2pt({% \left.\kern-1.2ptr\vphantom{|}\right|_{p}})\vphantom{|}\right|_{Y}}

i.e., it can be determined by applying the restriction onto variables from $Y$ for each cluster $p\in[{\mathcal{}X}]_{2}$ separately. This implies statement (4).

Statement (5) is an immediate consequence of statements (3) and (4). ∎

The polyhedral domain, e.g., satisfies (6). Applied to the polyhedral relational domain, the construction from Theorem 2.1 results in the domain of affine inequalities with at most two variables per inequality Simon et al. (2002).

According to Theorem 2.1, every value $r$ from the $2$ -decomposable relational domain ${\mathcal{}R}_{2}$ can be represented as the meet of its restrictions to $2$ -clusters, i.e., by the collection $\langle{\left.\kern-1.2ptr\vphantom{|}\right|_{p}}\rangle_{p\in[{\mathcal{}X}]% _{2}}$ . We call this representation normal, and an algorithm that computes it normalization. Consider now an arbitrary collection $\langle s_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ with $s_{p}\in{\mathcal{}R}^{p}$ with $r=\bigsqcap_{p\in[{\mathcal{}X}]_{2}}s_{p}$ . Then ${\left.\kern-1.2ptr\vphantom{|}\right|_{p}}\sqsubseteq s_{p}$ always holds, while equality need not hold. In the Octagon domain over the rationals or the integers, the normal representation of an octagon value corresponds to its closure as introduced in previous work Miné (2001); Bagnara et al. (2008). While for rational Octagons, closure in cubic time was already proposed by Miné (2001), it is much more recent that a corresponding algorithm was provided for the case when constraints are interpreted over integers Bagnara et al. (2008, 2009).

Subsequently, we introduce non-numerical weakly relational domains and provide polynomial algorithms for these.

3 Disjunctive Constants

Constant propagation relies on a domain that maintains conjunctions of atomic propositions $x=a$ where $x$ is a program variable and $a$ is from a finite set $U$ of possible values. In the following, we consider a (mild) generalization of this domain where also disjunctions of at most two atomic propositions are allowed.

Assume we are given a finite set $U$ representing possible values for variables from ${\mathcal{}X}$ . We consider propositions of the form $(x\in A)$ for $A\subseteq U$ which correspond to the disjunction of atomic propositions $x=a,a\in A$ . Thus, the proposition $x\in A$ for some $A\subseteq U$ can be understood as an atomic proposition of a multi-valued propositional logic where $A$ serves as the set of logical values of the propositional variable $x$ Beckert et al. (2000). Every monotonic Boolean combination $\Psi$ of propositions $x\in A$ with $x\in{\mathcal{}X},A\subseteq U$ , represents a function $\llbracket\Psi\rrbracket:({\mathcal{}X}\to U)\to{\mathcal{}B}$ defined by

\begin{array}[]{lll}\llbracket x\in A\rrbracket\;\sigma&=&(\sigma\,x)\in A\\ \llbracket\Psi_{1}\vee\Psi_{2}\rrbracket\;\sigma&=&\llbracket\Psi_{1}% \rrbracket\,\sigma\vee\llbracket\Psi_{2}\rrbracket\,\sigma\\ \llbracket\Psi_{1}\wedge\Psi_{2}\rrbracket\;\sigma&=&\llbracket\Psi_{1}% \rrbracket\,\sigma\wedge\llbracket\Psi_{2}\rrbracket\,\sigma\\ \end{array}

Let ${\mathcal{}C}[U]$ denote the complete lattice of all equivalence classes of formulas $\Psi$ where the ordering is semantic implication. The least element in this ordering can be represented by the empty disjunction or $\bot$ (false), while the greatest element is equivalent to the empty conjunction or $\top$ (true). Each formula $\Psi$ has an equivalent CNF as well as an equivalent DNF where each clause (conjunction) contains at most one proposition $x\in A$ for every variable $x$ . Converting $\Psi$ into DNF allows checking satisfiability and computing the restriction ${\left.\kern-1.2pt\Psi\vphantom{|}\right|_{Y}}$ onto a subset $Y\subseteq{\mathcal{}X}$ of variables. A formula for ${\left.\kern-1.2pt\Psi\vphantom{|}\right|_{Y}}$ is obtained from a DNF for $\Psi$ where each conjunction contains at most one proposition for each variable by the following steps: First, every conjunction which contains $y\in\emptyset$ for some $y$ is removed. From each remaining conjunction, then every proposition $y\in A$ with $y\not\in Y$ is removed. It follows that ${\left.\kern-1.2pt\Psi\vphantom{|}\right|_{Y}}$ is distributive, i.e., commutes with binary least upper bounds.

For an arbitrary $\Psi\in{\mathcal{}C}[U]$ , computing an equivalent DNF is an exponential time operation. The same holds if all restrictions ${\left.\kern-1.2pt\Psi\vphantom{|}\right|_{\{x,y\}}}$ are computed via this normal form. Let ${\mathcal{}C}_{2}[U]$ denote the 2-decomposable domain obtained from ${\mathcal{}C}[U]$ according to theorem 2.1. The lattice ${\mathcal{}C}_{2}[U]$ consists of all elements $\Psi$ which can be represented as conjunctions of clauses with at most two propositions $x\in A_{x}$ per clause. According to theorem 2.1, the least upper bound operation $\sqcup_{2}$ for ${\mathcal{}C}_{2}[U]$ can be realized by a clusterwise disjunction. In particular, it does not coincide with logical disjunction – but is an over-approximation of it.

Example 2

Let $\Psi_{1}\equiv(x\in\{a\})$ and $\Psi_{2}\equiv(y\in\{b\}\lor z\in\{c\})$ . Then both $\Psi_{1}$ and $\Psi_{2}$ are from ${\mathcal{}C}_{2}[U]$ , but their disjunction is not. In fact, the least upper bound in ${\mathcal{}C}_{2}[U]$ for

(x\in\{a\})\lor(y\in\{b\})\lor(z\in\{c\})

is $\top$ . ∎

3.1 Approximating 2-disjunctive Conjunctions

Any CNF $\Psi$ over some set $Y$ of variables of bounded size can, in polynomial time, be transformed into a DNF $\Psi^{\prime}$ . Each DNF over two distinct variables $x,y$ can be brought into the canonical normal form

\bigvee_{(a,b)\in L}(x=a)\wedge(y=b)

(7)

for some $L\subseteq U\times U$ . Conjunction and disjunction of two such normal forms then correspond to intersection and union of the respective subsets of $U\times U$ .

For arbitrary sets $Y$ of variables, though, it is non-trivial even to decide whether a given conjunction is different from $\bot$ .

Theorem 3.1

To decide for a formula $\Psi\in{\mathcal{}C}_{2}[U]$ whether or not $\Psi$ is satisfiable, i.e., different from $\bot$ , is NP-complete.

Proof

Since a satisfying assignment for $\Psi$ can be guessed and then checked in polynomial time, satisfiablity of $\Psi$ is in NP. NP-hardness, on the other hand, follows by a reduction from 3-colorability of graphs Beckert et al. (2000). We illustrate the reduction with an example.

Example 3

For ${\mathcal{}X}=\{x_{1},x_{2},x_{3},x_{4}\}$ , consider the formula $\Psi$

\bigwedge_{\{x_{i},x_{j}\}\in E}\begin{array}[t]{ll}\left(x_{i}\in\{b,c\}\vee x% _{j}\in\{b,c\}\right)&\wedge\\ \left(x_{i}\in\{a,c\}\vee x_{j}\in\{a,c\}\right)&\wedge\\ \left(x_{i}\in\{a,b\}\vee x_{j}\in\{a,b\}\right)\end{array}

where $E$ is given by

E=\left\{\{x_{1},x_{2}\},\{x_{1},x_{4}\},\{x_{2},x_{3}\},\{x_{3},x_{4}\},\{x_{% 1},x_{3}\}\right\}

Then $\Psi$ is satisfiable iff the undirected graph $({\mathcal{}X},E)$ has a 3-coloring. In the given example, the graph

cannot be colored by three colors. Therefore, $\Psi$ is equivalent to $\bot$ . ∎

Exact normalization (as defined in Section 2) of a relation represented by some 2-CNF thus, in general, may be difficult to compute. Instead of giving dedicated further abstraction techniques, we prefer to provide for an arbitrary relational domain ${\mathcal{}R}$ , a general construction to approximate the 2-decomposable domain ${\mathcal{}R}_{2}$ further by a 2-decomposable domain ${\mathcal{}R}_{2}^{\sharp}$ . This construction is based on approximate normalization.

Assume that an element in ${\mathcal{}R}_{2}$ is given by the meet $\bigsqcap R$ where $R$ is the collection $\langle s_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ with $s_{p}\in{\mathcal{}R}^{p}$ ( $p\in[{\mathcal{}X}]_{2}$ ). According to Theorem 2.1, ${\left.\kern-1.2pt(\bigsqcap R)\vphantom{|}\right|_{p}}\sqsubseteq s_{p}$ for all $p\in[{\mathcal{}X}]_{2}$ . As we have seen for 2-disjunctive constants, however, exact normalization of $\bigsqcap R$ , i.e., the values ${\left.\kern-1.2pt(\bigsqcap R)\vphantom{|}\right|_{p}}$ may be hard to compute precisely. For an approximate normalization, we introduce a constraint system in unknowns $r_{p},p\in[{\mathcal{}X}]_{2}$ with the constraints

\begin{array}[]{lll@{\;\;}r}r_{\{x,y\}}&\sqsubseteq&s_{\{x,y\}}&(x,y\in{% \mathcal{}X})\\ r_{\{x,y\}}&\sqsubseteq&{\left.\kern-1.2pt(r_{\{x,z\}}\sqcap r_{\{z,y\}})% \vphantom{|}\right|_{\{x,y\}}}&(x,y,z\in{\mathcal{}X})\end{array}

(8)

This constraint system has already been considered for the normalization of $2$ -projective domains Schwarz and Seidl (2023). As all right-hand sides are monotonic, the constraint system has a greatest solution – whenever each ${\mathcal{}R}^{p},p\in[{\mathcal{}X}]_{2},$ is a complete lattice.

In case that there is a greatest solution $\langle r_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ , ${\left.\kern-1.2pt(\bigsqcap R)\vphantom{|}\right|_{p}}\sqsubseteq r_{p}$ holds for all $p$ , since $\langle{\left.\kern-1.2pt(\bigsqcap R)\vphantom{|}\right|_{p}}\rangle_{p\in[{% \mathcal{}X}]_{2}}$ is also a solution of the system (8). Then we call the collection $\langle r_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ the approximate normal form of the collection $R$ . Here, we are not only interested in the existence of a greatest solution of (8) but also that it can be effectively computed. For that, we consider the sets of values possibly occurring during some fixpoint iteration for a particular collection $R=\langle s_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ .

Let $I_{\mathcal{}R}[R]^{p},p\in[{\mathcal{}X}]_{2},$ be the least collection of sets such that

•

$s_{p}\in I_{\mathcal{}R}[R]^{p}$ ;
•

If $r,r^{\prime}\in{\mathcal{}R}_{R}^{p}$ then also $r\sqcap r^{\prime}\in{\mathcal{}R}_{R}^{p}$ ;
•

If $r\in I_{\mathcal{}R}[R]^{\{x,z\}}$ and $r^{\prime}\in I_{\mathcal{}R}[R]^{\{z,y\}}$ , then
${\left.\kern-1.2pt(r\sqcap r^{\prime})\vphantom{|}\right|_{\{x,y\}}}\in I_{% \mathcal{}R}[R]^{\{x,y\}}$ for all $x,y,z\in{\mathcal{}X}$ .

The sets $I_{\mathcal{}R}[R]^{p}$ collect the potential iterates occurring during greatest fixpoint iteration of (8). By construction, each set $I_{\mathcal{}R}[R]^{p}$ has a greatest element, namely, $s_{p}$ , and is closed under binary $\sqcap$ . For the termination of Kleene fixpoint iteration for (8), it suffices for each set $I_{\mathcal{}R}[R]^{p}$ to have a least element – whose collection then coincides with the greatest solution of (8). This observation is summarized in the following proposition.

Proposition 1

The following two statements are equivalent:

1.

For each $p\in[{\mathcal{}X}]_{2}$ , $I_{\mathcal{}R}[R]^{p}$ has a least element;
2.

The constraint system (8) has a greatest solution which can be attained by Kleene fixpoint iteration.

Proof

Assume that for each $p\in[{\mathcal{}X}]_{2}$ , there is a least element $d_{p}\in I_{\mathcal{}R}[R]^{p}$ . We claim that $\underline{R}=\langle d_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ is the greatest solution of (8). Since for each $p\in[{\mathcal{}X}]_{2}$ , $d_{p}$ is a lower bound to all elements in $I_{\mathcal{}R}[R]^{p}$ , all constraints of (8) are satisfied. Therefore, $\underline{R}$ is a solution. By induction on the definition of the sets $I_{\mathcal{}R}[R]^{p}$ , any other solution $R^{\prime}=\langle r^{\prime}_{p}\rangle_{[{\mathcal{}X}]_{2}}$ consists of lower bounds of these sets, i.e., $r^{\prime}_{p}\sqsubseteq\bigsqcap I_{\mathcal{}R}[R]^{p}=d_{p}$ – implying our claim. To conclude statement (2), it remains to prove that the greatest solution $\underline{R}$ can be reached by Kleene iteration. For every $p$ , $d_{p}$ is an element of the set $I_{\mathcal{}R}[R]^{p}$ , and therefore, has arrived there after finitely many applications of the inductive rule of their definitions. Let $h$ be an upper bound to these numbers for all $d_{p},p\in[{\mathcal{}X}]_{2}$ . Then, Kleene iteration for the constraint system (8) will also reach these values after at most $h$ iterations.

For the reverse direction, assume that Kleene iteration for the greatest solution of (8) terminates after $h$ iterations with a collection $\underline{R}=\langle d_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ . By induction on the number $j$ of rounds, we find each value $d^{(j)}_{p}$ attained for $r_{p}$ , $p\in[{\mathcal{}X}]_{2}$ , after $j$ rounds, is an element of $I_{\mathcal{}R}[R]^{p}$ . Therefore, $d_{p}=d_{p}^{(h)}\in I_{\mathcal{}R}[R]^{p}$ for all $p$ . It remains to prove that $d_{p}$ is also a lower bound of $I_{\mathcal{}R}[R]^{p}$ . To show this, we again proceed by induction, this time on the number $i$ of applications of the inductive rule for the construction of the $I_{\mathcal{}R}[R]^{p}$ , and prove that for all $i$ and any value $d^{\prime}$ added to some set $I_{\mathcal{}R}[R]^{p}$ in the $i$ th step, it holds that $d_{p}^{(i)}\sqsubseteq d^{\prime}$ . Therefore, $d_{p}$ is a lower bound to $I_{\mathcal{}R}[R]^{p}$ for all $p$ , and statement (1) follows. ∎

If all operations on abstract relations $r\in{\mathcal{}R}^{Y}$ for clusters $Y$ of size at most 3 are constant time and the height of all ${\mathcal{}R}[R]^{p}$ are bounded by $h$ , then the greatest solution of the constraint system (8) can be computed in time polynomial in $h$ and the number of variables.

We call a relational domain 2-nice, if the statements of Proposition 1 are satisfied for each collection $R=\langle s_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ with $s_{p}\in{\mathcal{}R}^{p}$ .

Let us instantiate this construction to 2-disjunctive constants. First, we note that the relational domain ${\mathcal{}C}[U]$ is finite and thus, in particular, 2-nice. Let $\Psi=\langle s_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ denote a collection with $s_{p}\in{\mathcal{}C}[U]^{p}$ for all $p$ . Assume that ${\mathcal{}X}$ consists of $n$ variables, and let $m$ be the number of constants occurring in any of the $s_{p}$ . According to the normal form (7), the lattice $I_{{\mathcal{}C}[U]}[\Psi]^{p}$ has height at most $m$ if $p$ consists of a single variable, and height bounded by $m^{2}$ if $p$ is a two-element set. Since there are $\frac{1}{2}n(n+1)$ clusters, fixpoint iteration will terminate after ${\mathcal{}O}(n^{2}\cdot m^{2})$ updates. ∎

Due to NP-hardness of satisfiability, we cannot expect the greatest solution of the constraint system for 2-disjunctive constants to always return the exact normal form. For the formula from Example 3, e.g., it returns for each pair $\{x_{i},x_{j}\}\in E$ , $i\neq j$ ,

\begin{array}[]{l}\left(x_{i}=a\wedge x_{j}\in\{b,c\}\right)\vee\left(x_{i}=b% \wedge x_{j}\in\{a,c\}\right)\vee\\ \quad\left(x_{i}=c\wedge x_{j}\in\{a,b\}\right)\end{array}

– which is different from $\bot$ .

For a relational domain ${\mathcal{}R}$ , we call a collection $R=\langle r_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ with $r_{p}\in{\mathcal{}R}^{p}$ for all $p$ , stable if it is a solution of the constraint system (8) with $s_{p}\equiv r_{p}$ . We remark that stability of $R$ implies that, if $r_{p}=\bot$ for some $p$ , then $r_{p^{\prime}}=\bot$ for all other $p^{\prime}\in[{\mathcal{}X}]_{2}$ as well. Now we introduce for a relational domain ${\mathcal{}R}$ the domain ${\mathcal{}R}_{2}^{\sharp}$ of all stable collections. The ordering $\sqsubseteq^{\sharp}$ on the domain ${\mathcal{}R}_{2}^{\sharp}$ is defined by $R\sqsubseteq^{\sharp}R^{\prime}$ if $r_{p}\sqsubseteq r^{\prime}_{p}$ for all $p\in[{\mathcal{}X}]_{2}$ when $R=\langle r_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ and $R^{\prime}=\langle r^{\prime}_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ . Thus, $(\bigsqcap R)\sqsubseteq(\bigsqcap R^{\prime})$ whenever $R\sqsubseteq^{\sharp}R^{\prime}$ .

Abstract join as well as abstract restriction for ${\mathcal{}R}_{2}^{\sharp}$ then is modeled along the definitions of join and restriction for ${\mathcal{}R}_{2}$ , but refers to the representation as solution to the constraint system (8). For $R=\langle r_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ , $R^{\prime}=\langle r^{\prime}_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ in ${\mathcal{}R}_{2}^{\sharp}$ , we define the abstract join by

R\sqcup^{\sharp}R^{\prime}=\langle r_{p}\sqcup r^{\prime}_{p}\rangle_{p\in[{% \mathcal{}X}]_{2}}

while for $Y\subseteq{\mathcal{}X}$ , and $R=\langle r_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ , we define abstract restriction by

\begin{array}[]{lll}{\left.\kern-1.2pt\langle r_{p}\rangle_{p\in[{\mathcal{}X}% ]_{2}}\vphantom{|}\right|^{\sharp}_{Y}}&=&\langle{\left.\kern-1.2ptr_{p}% \vphantom{|}\right|_{Y}}\rangle_{p\in[{\mathcal{}X}]_{2}}\\ &=&\langle{\left.\kern-1.2ptr_{p}\vphantom{|}\right|_{Y\cap p}}\rangle_{p\in[{% \mathcal{}X}]_{2}}\\ \end{array}

where the latter equality follows since for $r_{p}\in{\mathcal{}R}^{p}$ , ${\left.\kern-1.2ptr_{p}\vphantom{|}\right|_{p}}=r_{p}$ . We have:

Proposition 2

Assume that ${\mathcal{}R}$ is 2-nice and satisfies (6). Then we have:

For each $R,R^{\prime}\in{\mathcal{}R}_{2}^{\sharp}$ , also $R\sqcup^{\sharp}R^{\prime}$ is again in ${\mathcal{}R}_{2}^{\sharp}$ and is the least upper bound of $R,R^{\prime}$ . Moreover,

(\bigsqcap R)\sqcup(\bigsqcap R^{\prime})\sqsubseteq\bigsqcap(R\sqcup^{\sharp}% R^{\prime})

For each $R\in{\mathcal{}R}_{2}^{\sharp}$ and $Y\subseteq{\mathcal{}X}$ , ${\left.\kern-1.2ptR\vphantom{|}\right|^{\sharp}_{Y}}$ is again in ${\mathcal{}R}_{2}^{\sharp}$ where

{\left.\kern-1.2pt(\bigsqcap R)\vphantom{|}\right|_{Y}}\sqsubseteq\bigsqcap({% \left.\kern-1.2ptR\vphantom{|}\right|^{\sharp}_{Y}})

holds.

3.

For each $R=\langle r_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ , $R^{\prime}=\langle r^{\prime}_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ in ${\mathcal{}R}_{2}^{\sharp}$ , the greatest lower bound $R\sqcap^{\sharp}R^{\prime}=\langle r^{\prime\prime}_{p}\rangle_{p\in[{\mathcal% {}X}]_{2}}$ is determined as the greatest solution of (8) with start values $s_{p}=r_{p}\sqcap r^{\prime}_{p}$ ( $p\in[{\mathcal{}X}]_{2}$ ).

Proof

For the first statement, let $R=\langle r_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ and $R^{\prime}=\langle r^{\prime}_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ . As the ordering on ${\mathcal{}R}_{2}^{\sharp}$ is componentwise, it suffices to prove that $R\sqcup^{\sharp}R^{\prime}$ is again in ${\mathcal{}R}_{2}^{\sharp}$ , i.e., the collection $r_{p}\sqcup r^{\prime}_{p},p\in[{\mathcal{}X}]_{2},$ is a solution of the constraints in (8). For this, we calculate:

\begin{array}[]{lll}r_{\{x,y\}}\sqcup r^{\prime}_{\{x,y\}}\hfil\\ &\sqsubseteq&{\left.\kern-1.2pt(r_{\{x,z\}}\sqcap r_{\{z,y\}})\vphantom{|}% \right|_{\{x,y\}}}\sqcup{\left.\kern-1.2pt(r^{\prime}_{\{x,z\}}\sqcap r^{% \prime}_{\{z,y\}})\vphantom{|}\right|_{\{x,y\}}}\\ &\sqsubseteq&{\left.\kern-1.2pt((r_{\{x,z\}}\sqcup r^{\prime}_{\{x,z\}})\sqcap% (r_{\{z,y\}}\sqcup r^{\prime}_{\{z,y\}}))\vphantom{|}\right|_{\{x,y\}}}\\ \end{array}

for all variables $x,y,z\in{\mathcal{}X}$ . From that, the statement follows.

To prove the second statement, we must verify that the collection ${\left.\kern-1.2ptr_{p}\vphantom{|}\right|_{Y\cap p}},p\in[{\mathcal{}X}]_{2}$ satisfies all constraints in (8). Indeed, we find by monotonicity,

\begin{array}[]{lll}{\left.\kern-1.2ptr_{\{x,y\}}\vphantom{|}\right|_{Y}}&% \sqsubseteq&{\left.\kern-1.2pt(r_{\{x,z\}}\sqcap r_{\{z,y\}})\vphantom{|}% \right|_{\{x,y\}\cap Y}}\\ &\sqsubseteq&{\left.\kern-1.2pt({\left.\kern-1.2ptr_{\{x,z\}}\vphantom{|}% \right|_{Y}}\sqcap{\left.\kern-1.2ptr_{\{z,y\}}\vphantom{|}\right|_{Y}})% \vphantom{|}\right|_{\{x,y\}\cap Y}}\\ \end{array}

for all $x,y,z\in{\mathcal{}X}$ , and the claim follows. The final statement then follows from the definition. ∎

Elements of ${\mathcal{}R}_{2}^{\sharp}$ are collections $\langle r_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ . For every $p\in[{\mathcal{}X}]_{2}$ , we can consider elements $r_{p}\in{\mathcal{}R}^{p}$ as elements of ${\mathcal{}R}_{2}^{\sharp}$ as well by assuming that $r_{p}$ represents the stable collection $\langle{\left.\kern-1.2ptr_{p}\vphantom{|}\right|_{q}}\rangle_{q\in[{\mathcal{% }X}]_{2}}$ .

According to Proposition 2, both joins and restrictions can be computed componentwise. As a consequence, we find:

Theorem 3.2

For a 2-nice relational domain ${\mathcal{}R}$ which satisfies (6), the domain ${\mathcal{}R}_{2}^{\sharp}$ is a 2-decomposable relational domain. ∎

Fig. 1 shows the abstract relational domains ${\mathcal{}R},{\mathcal{}R}_{2}$ , and ${\mathcal{}R}_{2}^{\sharp}$ together with the mappings between them.

Refer to caption — Figure 1: The relationship between abstract relational domains.

According to Theorem 3.2, the domain ${\mathcal{}C}_{2}^{\sharp}[U]$ of abstract 2-disjunctive constants is indeed 2-decomposable. The given construction provides us with polynomial algorithms for least upper bound, greatest lower bound, and projection.

3.2 Assignments

Let us return to the relational domain ${\mathcal{}C}_{2}[U]$ of 2-disjunctive constants and indicate how abstract transformers for assignments $x\,{:=}\,s$ can be tailored. For 2-disjunctive constants, we only consider right-hand sides $s$ where $s$ is either $?$ (unknown value), or of the form $A|y_{1}|\ldots|y_{k}$ where $A$ is a set of constants and $y_{1},\ldots,y_{k}\in{\mathcal{}X}$ are variables. The concrete semantics of such an assignment is given by

\begin{array}[]{lll}\llbracket x\,{:=}\,?\rrbracket\,\Sigma&=&\{\sigma\oplus\{% x\mapsto c\}\mid\sigma\in\Sigma,c\in U\}\\ \llbracket x\,{:=}\,A|y_{1}|\ldots|y_{k}\rrbracket\,\Sigma&=&\{\sigma\oplus\{x% \mapsto a\}\mid\sigma\in\Sigma,a\in A\}\cup\\ &&\bigcup_{j=1}^{k}\{\sigma\oplus\{x\mapsto\sigma\,y_{j}\}\mid\sigma\in\Sigma% \}\end{array}

Generalizing the corresponding abstract semantics for (copy) constant propagation, we define the logic transformer for ${\mathcal{}C}_{2}[U]$ by

\begin{array}[]{lll}\llbracket x\,{:=}\;?\rrbracket_{2}\,\Psi&=&{\left.\kern-1% .2pt\Psi\vphantom{|}\right|_{{\mathcal{}X}\setminus\{x\}}}\\ \llbracket x\,{:=}\;A|y_{1}|\ldots|y_{k}\rrbracket_{2}\,\Psi&=&(x\in A)\land{% \left.\kern-1.2pt\Psi\vphantom{|}\right|_{{\mathcal{}X}\setminus\{x\}}}\sqcup_% {2}\\ &&\bigsqcup_{2\;j=1}^{\phantom{2\;}k}\;\;\llbracket x\;{:=}\,y_{j}\rrbracket_{% 2}\,\Psi\end{array}

Proposition 3

The logic transformer $\llbracket x\,{:=}\,?\rrbracket_{2}$ is precise, i.e.,

\llbracket x\,{:=}\,?\rrbracket\,(\gamma\,\Psi)=\gamma\,(\llbracket x\,{:=}\,?% \rrbracket_{2}\,\Psi)

(9)

In particular, it is distributive and commutes with $\bot$ .

2.

The logic transformer $\llbracket x\,{:=}\,A\mid y_{1}|\ldots|y_{k}\rrbracket_{2}$ is precise, if the logic transformers for $x\,{:=}\,y_{j}$ , $j=1,\ldots,k$ , are.

Thus, we have reduced the construction of logic transformers for assignments to restriction and the construction of logic transformers for variable-variable assignments $x\,{:=}\,y$ . For $y\equiv x$ , the assignment is the identity, i.e., we set $\llbracket x\,{:=}\,x\rrbracket_{2}\,\Psi=\Psi$ . Therefore, assume that $y$ is different from $x$ , and assume that ${\left.\kern-1.2pt\Psi\vphantom{|}\right|_{{\mathcal{}X}\setminus\{x\}}}=\Psi^% {\prime}$ . Let $B$ denote the set of constants so that ${\left.\kern-1.2pt\Psi^{\prime}\vphantom{|}\right|_{\{y\}}}$ equals $y\in B$ . Let $\Psi_{y}$ denote the conjunction of all formulas ${\left.\kern-1.2pt\Psi^{\prime}\vphantom{|}\right|_{p}}$ for $p\in[{\mathcal{}X}]_{2}$ with $y\in p$ . Let $\Psi^{\prime\prime}=\Psi_{y}[x/y]$ denote the formula obtained from $\Psi_{y}$ by renaming each occurrence of the variable $y$ with $x$ . Then we define

\llbracket x\,{:=}\,y\rrbracket_{2}\,\Psi=\Psi^{\prime}\wedge\left(\bigvee_{a% \in B}x=a\wedge y=a\right)\wedge\Psi^{\prime\prime}

Let $\bar{\Psi}$ denote the formula returned by that transformer for $\Psi$ . Intuitively, our definition means for $x\not\in p$ , that ${\left.\kern-1.2pt\bar{\Psi}\vphantom{|}\right|_{p}}={\left.\kern-1.2pt\Psi% \vphantom{|}\right|_{p}}$ , i.e., ${\left.\kern-1.2pt\Psi\vphantom{|}\right|_{p}}$ is preserved while additionally, ${\left.\kern-1.2pt\bar{\Psi}\vphantom{|}\right|_{\{x\}}}={\left.\kern-1.2pt% \Psi\vphantom{|}\right|_{\{y\}}}[x/y]$ , ${\left.\kern-1.2pt\bar{\Psi}\vphantom{|}\right|_{\{x,y\}}}=\bigvee_{a\in B}x=b% \wedge y=b$ , and for $z\not\in\{x,y\}$ , ${\left.\kern-1.2pt\bar{\Psi}\vphantom{|}\right|_{\{x,z\}}}={\left.\kern-1.2pt% \Psi\vphantom{|}\right|_{\{y,z\}}}[x/y]$ .

Proposition 4

The logic transformer $\llbracket x\,{:=}\,y\rrbracket_{2}$ is precise, i.e.,

\llbracket x\,{:=}\,y\rrbracket\,(\gamma\,\Psi)=\gamma\,(\llbracket x\,{:=}\,y% \rrbracket_{2}\,\Psi)

(10)

holds. ∎

The same construction allows us to construct abstract logic transformers $\llbracket x\,{:=}\,s\rrbracket_{2}^{\sharp}:C_{2}^{\sharp}[U]\to C_{2}^{% \sharp}[U]$ – only that the least upper bound operation and projection of ${\mathcal{}C}_{2}[U]$ must be replaced by the corresponding operations of ${\mathcal{}C}_{2}^{\sharp}[U]$ . The abstract transformer then, however, is only sound and no longer precise, since the projection operation of ${\mathcal{}C}_{2}^{\sharp}[U]$ may return for an abstract relation $R$ whose concretization is empty an abstract relation with a non-empty concretization. Accordingly, Eq. 9 and Eq. 10 may be violated.

3.3 Guards

It remains to provide the semantics of guards. Again, we first consider the domain ${\mathcal{}C}_{2}[U]$ of 2-disjunctive formulas (modulo logical equivalence), ordered by implication. We consider positive guards of the form $x\in A$ , and conversely, negative guards of the form $x\not\in A$ . Positive guards thus can directly be expressed in ${\mathcal{}C}_{2}[{\mathcal{}U}]$ . Thus we set

\llbracket?(x\in A)\rrbracket\,\Psi=\Psi\wedge(x\in A)

(11)

Negative guards on the other hand cannot be directly expressed in ${\mathcal{}C}_{2}[U]$ – at least if there are unknown constant values beyond the finite universe $U$ . To deal with this, we introduce a dedicated fresh symbol $\bullet\not\in U$ with the understanding that $\bullet$ repesents any value $a\not\in U$ . The property $x\not\in A$ then can equivalently be represented by

x\in(U\cup\{\bullet\})\setminus A

allowing us to deal with such co-finite sets of possible values in the same way as we did for finite sets of values alone.

4 Directed Relational Domains

Instead of plain equalities, let us now consider inequalities between variables and constants instead of equalities and abandon disjunctions. We will, however, add disjunctions in the end as well. Thus for now, we just consider finite conjunctions of inequalities of the form

d\sqsubseteq x,\quad x\sqsubseteq y,\quad\text{or}\quad x\sqsubseteq d

for variables $x,y\in{\mathcal{}X}$ and constant values $d$ . As usual, we consider conjunctions only up to semantic equivalence. We call inequalities of the form $d\sqsubseteq x$ lower bound constraints, and $d$ a lower bound for $x$ . Analogously for upper bounds. Inequalities of the form $x\sqsubseteq y$ are called variable constraints.

Assume we are given a partial order (po), i.e., a set $P$ partially ordered by some relation $\leq$ . Examples of partial orders of interest are

Subsets.

The set $2^{U}$ of all subsets of some finite universe $U$ where the ordering is subset inclusion $\subseteq$ ;

Integers.

The set $\mathbb{Z}$ of integers equipped with the natural ordering $\leq_{\mathbb{Z}}$ ;

Multisets.

Multisets, i.e., the set of all mappings $\mu:U\to\mathbb{N}$ from elements in $U$ to their multiplicities ordered by multiset inclusion $\subseteq_{\mathcal{}N}$ .

Strings.

The set of all strings $\Sigma^{*}$ for some finite alphabet $\Sigma$ . Several partial orderings are of interest:

–

the prefix ordering $\leq_{p}$ ; e.g., $\textsf{ab}\leq_{p}\textsf{abcd}$ ;
–

the substring ordering $\leq_{s}$ , e.g., $\textsf{bc}\leq_{s}\textsf{abcde}$ ;
–

the scattered substring ordering $\leq_{ss}$ , e.g., $\textsf{bd}\leq_{ss}\textsf{abcde}$ .

Much more expressive constraints on strings have been studied, e.g., in Chen et al. (2018); Day et al. (2023); Abdulla et al. (2019); Ganesh et al. (2011). In particular, for a fragment containing the prefix ordering, decision procedures are known based on (synchronous) multi-tape finite automata Yu et al. (2011). Due to their expressiveness, these techniques come with a considerable computational effort. Instead, we follow Arceri et al. (2022) where basic relational domains are considered for reasoning about variables of string type, sets (of characters), or integers (lengths of strings). Their analyses relate program variables only according to some partial order, and also consider lower bounds. Here, these considerations are complemented by taking upper bounds into account as well and, eventually, by adding disjunctions.

A mapping $\sigma:{\mathcal{}X}\to P$ is a model of $\Psi$ (relative to $P$ ), written as $\sigma\models\Psi$ , if $\Psi\neq\bot$ , and

•

$d\leq\sigma\,x$ (in $P$ ) for each constraint $d\sqsubseteq x$ in $\Psi$ ;
•

$\sigma\,x\leq d$ (in $P$ ) for each constraint $x\sqsubseteq d$ in $\Psi$ ; and
•

$\sigma\,x\leq\sigma\,y$ (in $P$ ) for each constraint $x\sqsubseteq y$ in $\Psi$ .

Let ${\mathcal{}D}[P]$ denote all finite conjunctions over $P$ modulo semantic equivalence where the ordering on ${\mathcal{}D}[P]$ is semantic implication. As before, normal forms of conjunctions will be considered up to reordering of atomic propositions. Thus, syntactic equality of conjunctions here means equality of the respective sets of propositions. Let $\Psi$ denote a finite conjunction where $V\subseteq P$ is the set of values occurring in $\Psi$ as lower or upper bounds. To provide a first normal form for $\Psi$ , we proceed in two steps. First, we determine the transitive closure $(\leq\cup\sqsubseteq)^{+}$ on the set ${\mathcal{}X}\cup V$ of the constraints provided by $\Psi$ . In case that $(a,b)\in(\leq\cup\sqsubseteq)^{+}$ for $a,b\in V$ where $a\leq b$ does not hold in $P$ , then $\Psi$ is unsatisfiable and therefore represented by the dedicated element $\Psi^{\prime}=\bot$ . If this is not the case, let $\Psi^{\prime}$ denote the conjunction of all inequalities $s_{1}\sqsubseteq s_{2}$ where $(s_{1},s_{2})\in(\leq\cup\sqsubseteq)^{+}$ and either $s_{1}$ or $s_{2}$ or both are in ${\mathcal{}X}$ .

In the second step, when $\Psi^{\prime}\neq\bot$ , we remove all redundant constraints. These are constraints of the form

•

$x\sqsubseteq x$ for $x\in{\mathcal{}X}$ , as these constraints hold vacuously;
•

$a\sqsubseteq x$ for $a\in V$ and $x\in{\mathcal{}X}$ if there is also a constraint $b\sqsubseteq x$ with $a\leq b$ , i.e., there is a stricter lower bound;
•

$x\sqsubseteq b$ for $b\in V$ and $x\in{\mathcal{}X}$ if there is also a constraint $x\sqsubseteq a$ with $a\leq b$ , i.e., there is a stricter upper bound.

Additionally, we set $\Psi^{\prime}$ to $\bot$ whenever for some variable $x$ ,

•

there is no lower bound in $P$ for the set of upper bounds provided for $x$ by $\Psi$ ; or
•

there is no upper bound in $P$ for the set of lower bounds provided for $x$ by $\Psi$ .

Assume, e.g., that $\Psi$ is given by

(\textsf{abc}\sqsubseteq x)\wedge(\textsf{abd}\sqsubseteq x)

where we consider the prefix order $\leq_{p}$ on strings. Since $\textsf{abc},\textsf{abd}$ cannot be prefixes of the same string, this conjunction is considered equivalent to $\bot$ .

Let us denote the resulting conjunction $\Psi^{\prime}$ by $\textsf{nf}_{0}[\Psi]$ and call it the 0-normal form of $\Psi$ . Assuming that comparisons of values as well as checks for common lower or upper bounds are constant-time operations, 0-normal forms can be computed in polynomial time.

4.1 Lattice Domains

An important special case is when $P$ is a lattice, i.e., a po where every two elements $a,b$ both have a least upper bound $a\vee b$ and a greatest lower bound $a\wedge b$ .

Example 4

The po $2^{U}$ ordered by subset inclusion is a complete lattice and thus, in particular, a lattice. The integers $\mathbb{Z}$ with the natural ordering is another example of a lattice, this time without least or greatest element. Yet another example are multisets: this lattice has a least, but no greatest element.

The po $\Sigma^{*}$ of strings ordered by the prefix relation is not a lattice. $\Sigma^{*}$ provides a least element $\epsilon$ , as well as greatest lower bounds, namely, the maximal common prefix, but does not have least upper bounds to all pairs of strings. There is, for example, no upper bound to abc and abd in $\Sigma^{*}$ . ∎

When $P$ is a lattice, we can provide a dedicated normal form which, however, may now use constants from $P$ which did not occur in $\Psi$ before. Assume now that $\Psi^{\prime}$ is the 0-normal form of $\Psi$ . If $P$ has a least element $\bot_{P}$ , we add the vacuous constraint $\bot_{P}\sqsubseteq x$ to every variable $x$ . Likewise, if $P$ has a greatest element $\top_{P}$ , we add the constraint $x\sqsubseteq\top_{P}$ .

If $\Psi^{\prime}$ is different from $\bot$ , we subsequently simplify $\Psi^{\prime}$ further by replacing for each variable $x\in{\mathcal{}X}$ ,

•

the set of upper bound constraints occurring in $\Psi^{\prime}$ , if it is non-empty and consists of $(x\sqsubseteq b_{1})\land\ldots\land(x\sqsubseteq b_{r})$ , with the single constraint $(x\sqsubseteq(\bigwedge_{i=1}^{r}b_{i}))$ ;
•

the set of lower bound constraints in $\Psi^{\prime}$ , if it is non-empty and consists of $(a_{1}\sqsubseteq x)\land\ldots\land(a_{r}\sqsubseteq x)$ , with the single constraint $((\bigvee_{i=1}^{r}a_{i})\sqsubseteq x)$ .

Let us denote the resulting formula by $\textsf{nf}_{1}[\Psi]$ and call it the 1-normal form of $\Psi$ . The 1-normal form of $\Psi$ can be computed in polynomial time as well – given that comparisons as well as pairwise least upper bounds and greatest lower bounds in $P$ are constant time. We have:

Theorem 4.1

Assume that the po $P$ is a lattice. Then the following holds:

1.

A conjunction $\Psi$ is satisfiable over $P$ iff $\textsf{nf}_{1}[\Psi]\neq\bot$ .
2.

For arbitrary conjunctions $\Psi_{1},\Psi_{2}$ over $P$ , $\Psi_{1}\implies\Psi_{2}$ iff $\textsf{nf}_{1}[\Psi_{1}]=\textsf{nf}_{1}[\Psi_{1}\land\Psi_{2}]$ .

Satisfiability as well as implication are decidable in polynomial time. ∎

Proof

If $\Psi^{\prime}=\textsf{nf}_{1}[\Psi]=\bot$ , then $\Psi$ cannot be satisfiable since any of the simplification steps preserves the set of satisfying assignments. So, assume that $\Psi^{\prime}$ is syntactically different from $\bot$ . Let $\sigma$ be the variable assignment which maps each variable $x$ to its lower bound $a_{x}\in P$ – if it exists, and to some fixed element $\underline{a}$ which is less or equal to any other lower bound mentioned in $\Psi^{\prime}$ . Then all single variable constraints are satisfied as well as, by transitivity, all constraints $x\sqsubseteq y$ occurring in $\Psi^{\prime}$ . Therefore, $\sigma\models\Psi$ – implying that $\Psi$ is satisfiable. From this, statement (1) follows.

To prove statement (2), consider conjunctions $\Psi^{\prime}_{1},\Psi^{\prime}_{2}$ both in 1-normal form. If these syntactically coincide, then obviously also $\Psi^{\prime}_{1}\iff\Psi^{\prime}_{2}$ holds. For the reverse direction, we prove that if $\Psi^{\prime}_{i}$ are distinct, then they cannot be equivalent. From that, the assertion follows. If one of them equals $\bot$ and the other not, then by statement (1), they cannot be equivalent. Therefore, assume that both are satisfiable and thus, different from $\bot$ . We consider all cases how the $\Psi_{i}$ may differ.

Lower bounds.

First, assume that there are constraints $a_{i}\sqsubseteq x$ , $i=1,2$ , for some variable $x$ in $\Psi^{\prime}_{i}$ where $a_{1}$ is different from $a_{2}$ . Assume w.l.o.g. that $a_{1}\not\leq a_{2}$ holds. Let $L_{x}$ denote the set consisting of $x$ together with variables $z\in{\mathcal{}X}$ where $\Psi^{\prime}_{2}$ has a constraint $z\sqsubseteq x$ . Let $\sigma$ denote some assignment with $\sigma\models\Psi^{\prime}_{2}$ . Then we construct a variable assignment $\sigma^{\prime}$ such that $\sigma^{\prime}\models\Psi^{\prime}_{2}$ but $\sigma^{\prime}\not\models\Psi^{\prime}_{1}$ by

\sigma^{\prime}\,z=\begin{cases}\sigma\,z\wedge a_{2}&\text{if }z\in L_{x}\\ \sigma\,z&\text{otherwise}\end{cases}

Then still $\sigma^{\prime}\models\Psi^{\prime}_{2}$ . But since $a_{1}\not\leq a_{2}$ , it follows that $\sigma^{\prime}$ does not satisfy $a_{1}\sqsubseteq x$ and thus it does not model $\Psi^{\prime}_{1}$ .

If there is a constraint $a_{1}\sqsubseteq x$ in $\Psi^{\prime}_{1}$ , but no lower bound constraint for $x$ in $\Psi^{\prime}_{2}$ , then there is some value $\underline{\bot}\in P$ different from $a_{1}$ so that $\underline{\bot}\leq a_{1}\wedge\sigma\,x$ holds. This value allows us to construct an analogous distinguishing assignment $\sigma^{\prime}$ where we use $\underline{\bot}$ instead of $a_{2}$ .

Upper bounds.

First, assume that there are constraints $x\sqsubseteq b_{i}$ , $i=1,2$ , for some variable $x$ in $\Psi^{\prime}_{i}$ where $b_{1}$ is different from $b_{2}$ . W.l.o.g., assume that $b_{2}\not\leq b_{1}$ . Let $U_{x}\subseteq{\mathcal{}X}$ denote the subset consisting of $x$ together with all unknowns $z$ where $\Psi^{\prime}_{2}$ has a constraint $x\sqsubseteq z$ . Let $\sigma$ denote some assignment with $\sigma\models\Psi^{\prime}_{2}$ . Then we construct a variable assignment $\sigma^{\prime}$ by:

\sigma^{\prime}\,z=\begin{cases}\sigma\,z\vee b_{2}&\text{if }z\in U_{x}\\ \sigma\,z&\text{otherwise}\end{cases}

Then still $\sigma^{\prime}\models\Psi^{\prime}_{2}$ holds. But since $b_{2}\not\leq b_{1}$ , $\sigma^{\prime}$ does not satisfy $\Psi^{\prime}_{1}$ .

If there is a constraint $x\sqsubseteq b_{1}$ in $\Psi^{\prime}_{1}$ , but no upper bound constraint for $x$ in $\Psi^{\prime}_{2}$ , we introduce a value $\overline{\top}\in P$ which is different from $b_{1}$ with $(b_{1}\vee\sigma\,x)\leq\overline{\top}$ , and construct an analogous distinguishing assignment $\sigma^{\prime}$ only that we use $\overline{\top}$ instead of $b_{2}$ .

Variable Constraints.

Assume that, w.l.o.g., $\Psi^{\prime}_{1}$ has a constraint $(x\sqsubseteq y)$ for $x,y\in{\mathcal{}X}$ which does not occur in $\Psi^{\prime}_{2}$ where we assume that for every variable $z\in{\mathcal{}X}$ both lower and upper bounds are provided by $\Psi^{\prime}_{1}$ iff they are provided by $\Psi^{\prime}_{2}$ and that, whenever they are provided, they agree. Consider again the set $U_{x}$ of $x$ together with all variables $z$ with constraints $x\sqsubseteq z$ , and the set $L_{y}$ of $y$ together with all variables $z$ with constraints $z\sqsubseteq y$ occurring in $\Psi^{\prime}_{2}$ . Since $x\sqsubseteq y$ does not occur in $\Psi^{\prime}_{2}$ , $U_{x}\cap L_{y}=\emptyset$ .

Let $\sigma$ denote an assignment with $\sigma\models\Psi^{\prime}_{2}$ . First assume that $\Psi^{\prime}_{2}$ has constraints $x\sqsubseteq b$ and $a\sqsubseteq y$ . From $x\sqsubseteq y$ not occurring in $\Psi^{\prime}_{2}$ , it follows that $b\not\leq a$ . Now we construct an assignment $\sigma^{\prime}$ by:

\sigma^{\prime}\,z=\begin{cases}b\vee\sigma\,z&\text{if }z\in U_{x}\cup\{x\}\\ a\wedge\sigma\,z&\text{if }z\in L_{y}\cup\{y\}\\ \sigma\,z&\text{otherwise}\end{cases}

Then $\sigma^{\prime}\models\Psi^{\prime}_{2}$ , while $\sigma^{\prime}\,x=b$ and $\sigma^{\prime}\,y=a$ . As $b\not\leq a$ , $\sigma^{\prime}$ does not fulfill the constraint $x\sqsubseteq y$ from $\Psi^{\prime}_{1}$ .

If no upper bound of $x$ is provided, we choose some value $b$ strictly larger than $\sigma\,x\vee\sigma\,y$ , and define a variable assignment $\sigma^{\prime}$ by $\sigma^{\prime}\,z=b\vee\sigma\,z$ for $z\in U_{x}$ , and $\sigma^{\prime}\,z=\sigma\,z$ otherwise. Then $\sigma^{\prime}\models\Psi^{\prime}_{2}$ . In order to additionally satisfy $x\sqsubseteq y$ , we would have $\sigma^{\prime}\,x=b\vee\sigma\,x=b\leq\sigma^{\prime}\,y$ – which is impossible.

Likewise, if no lower bound of $y$ is provided, we choose some value $a$ strictly less than $\sigma\,x\wedge\sigma\,y$ , and define a variable assignment $\sigma^{\prime}$ by $\sigma^{\prime}\,z=a\wedge\sigma\,z$ for $z\in L_{y}$ , and $\sigma^{\prime}\,z=\sigma\,z$ otherwise. Then $\sigma^{\prime}\models\Psi^{\prime}_{2}$ . In order to additionally satisfy $x\sqsubseteq y$ , we would have $\sigma^{\prime}\,x=\sigma\,x\leq\sigma^{\prime}\,y=a$ – which again is impossible.

∎

For lattices, therefore, the construction of normal forms allows deciding satisfiability as well as semantic implication. From our examples, sets, integers, and multisets are lattices. Strings, ordered by the prefix relation, on the other hand, already do not form a lattice anymore. This po, however, is bounded-complete. Recall that a po $P$ is bounded-complete if every subset $A\subseteq P$ which has some upper bound, also has a least upper bound. When $P$ is bounded-complete, then we at least know that

•

every non-empty subset $B\subseteq P$ has a greatest lower bound; and
•

$P$ has a least element $\bot_{P}$ .

Thus, every formula $\Psi$ over a bounded-complete po $P$ which provides some upper bound to every variable $x\in{\mathcal{}X}$ also can be brought into 1-normal form. Let us call such conjunctions bounded. We obtain:

Proposition 5

Given a po $P$ that is bounded-complete, the following holds:

1.

A bounded conjunction $\Psi$ is satisfiable over $P$ iff $\textsf{nf}_{1}[\Psi]\neq\bot$ .
2.

For arbitrary bounded conjunctions $\Psi_{1},\Psi_{2}$ over $P$ , $\Psi_{1}\implies\Psi_{2}$ iff $\textsf{nf}_{1}[\Psi_{1}]=\textsf{nf}_{1}[\Psi_{1}\land\Psi_{2}]$ . ∎

When we drop the extra assumption that conjunctions are bounded, Proposition 5 need no longer hold.

Example 5

For prefixes of strings, consider the conjunction

(\textsf{ab}\sqsubseteq x)\wedge(x\sqsubseteq\textsf{abc})\wedge(\textsf{abd}% \sqsubseteq y)\wedge(x\sqsubseteq y)

This formula is semantically equivalent to

(\textsf{ab}\sqsubseteq x)\wedge(x\sqsubseteq\textsf{ab})\wedge(\textsf{abd}% \sqsubseteq y)\wedge(x\sqsubseteq y)

although the formulas are syntactically different.

Even without upper bounds, not all implications can be inferred via transitive closure alone. Again for prefixes of strings, consider

\begin{array}[]{c}(\textsf{abc}\sqsubseteq y_{1})\wedge(\textsf{abd}% \sqsubseteq y_{2})\wedge(x\sqsubseteq y_{1})\wedge(x\sqsubseteq y_{2})\wedge(% \textsf{ab}\sqsubseteq z)\end{array}

The first four constraints imply that $x\sqsubseteq\textsc{ab}$ , which, by the last constraint, implies that $x\sqsubseteq z$ must hold as well. ∎

For a conjunction $\Psi$ and a subset $Y\subseteq{\mathcal{}X}$ of variables, let ${\left.\kern-1.2pt\Psi\vphantom{|}\right|^{\sharp}_{Y}}$ yield $\bot$ if $\Psi$ equals $\bot$ , and otherwise, yield the conjunction of all constraints in $\Psi$ that only uses variables from $Y$ .

For conjunctions $\Psi_{1},\Psi_{2}$ in 1-normal form and different from $\bot$ , we define the abstract join $\Psi_{1}\sqcup^{\sharp}\Psi_{2}$ as the conjunction of the following constraints:

•

all constraints $x\sqsubseteq y$ , $x,y\in{\mathcal{}X}$ , which occur both in $\Psi_{1}$ and $\Psi_{2}$ ;
•

all constraints $(d_{1}\wedge d_{2})\sqsubseteq x$ , $d_{1},d_{2}\in P$ , $x\in{\mathcal{}X}$ where $d_{i}\sqsubseteq x$ occurs in $\Psi_{i}$ ;
•

all constraints $x\sqsubseteq(d_{1}\vee d_{2})$ , $d_{1},d_{2}\in P$ , $x\in{\mathcal{}X}$ where $x\sqsubseteq d_{i}$ occurs in $\Psi_{i}$ .

Then we have:

Theorem 4.2

Assume that $P$ is a lattice.

1.

If $\Psi$ is a conjunction in 1-normal form, then for every subset $Y\subseteq{\mathcal{}X}$ , ${\left.\kern-1.2pt\Psi\vphantom{|}\right|_{Y}}$ is given by ${\left.\kern-1.2pt\Psi\vphantom{|}\right|^{\sharp}_{Y}}$ where the latter conjunction is again in 1-normal form.
2.

For $\Psi_{1},\Psi_{2}$ in 1-normal form, $\Psi_{1}\sqcup^{\sharp}\Psi_{2}$ is the least upper bound of $\Psi_{1},\Psi_{2}$ in ${\mathcal{}D}[P]$ .
3.

The domain ${\mathcal{}D}[P]$ is a 2-decomposable relational domain. ∎

While statement (1) of Theorem 4.2 remains true also for bounded conjunctions over a bounded-complete po, the least upper bound of two bounded conjunctions need no longer be bounded, as the least upper bounds of the respective upper bounds need not exist. For the prefix ordering on $\Sigma^{*}$ , e.g., we have

(x\sqsubseteq\textsf{abc})\sqcup(x\sqsubseteq\textsf{abd})=\top

i.e., all information about upper bounds is lost.

4.2 The General Case

For general (even finite) partial orders, the dedicated constructions for lattices cannot be directly applied. Already the problem of determining whether or not a conjunction is satisfiable, turns out to be surprisingly difficult. Assume that elements in $P$ can be represented and compared in polynomial time. Then we find:

Theorem 4.3

The problem of determining for a given partial order $P$ and a conjunction $\Psi$ , whether $\Psi$ is satisfiable over $P$ , is NP-complete.

Proof

Since a satisfying assignment for a conjunction $\Psi$ can be guessed in polynomial time, it remains to prove the hardness part. For that, consider the problem of 3-colorability of an undirected finite graph $G=(V,E)$ . Let $v_{1},\ldots,v_{n}$ be an enumeration of the vertices in $V$ . Then, we construct a partial order $P$ consisting of the elements

\{\langle v_{i},c\rangle\mid i=1,\ldots,n,c=1,2,3\}\;\begin{array}[t]{@{}l}% \dot{\cup}\;\{\underline{v}_{i}\mid i=1,\ldots,n\}\\ \dot{\cup}\;\{\overline{v}_{i}\mid i=1,\ldots,n\}\end{array}

where the partial ordering $\leq$ of $P$ is the least partial order satisfying

\begin{array}[]{lll@{\quad}l}\langle v_{i},c\rangle&\leq&\langle v_{j},c^{% \prime}\rangle&\text{whenever}\;\{v_{i},v_{j}\}\in E\land i<j\land c\neq c^{% \prime}\\ \langle v_{i},c\rangle&\leq&\overline{v}_{i}&\text{whenever}\;\exists\,j>i.\,% \{i,j\}\in E\\ \underline{v}_{j}&\leq&\langle v_{j},c\rangle&\text{whenever}\;\exists\,i<j.\,% \{i,j\}\in E\\ \end{array}

For $P$ , we define a conjunction $\Psi$ in the variables $x_{i},i=1,\ldots,n$ , by

\begin{array}[]{l}\bigwedge_{\{v_{i},v_{j}\}\in E,i<j}(x_{i}\sqsubseteq% \overline{v}_{i})\wedge(x_{i}\sqsubseteq x_{j})\wedge(\underline{v}_{j}% \sqsubseteq x_{j})\end{array}

Both $P$ and $\Psi$ can be constructed from $G$ in polynomial time. Moreover, it holds that $\sigma\models\Psi$ iff $\sigma\,x_{i}=\langle v_{i},c_{i}\rangle$ for some coloring $\gamma:V\to\{1,2,3\}$ with $\gamma\,v_{i}=c_{i}$ . It follows that $\Psi$ is satisfiable iff $G$ has a 3-coloring. In summary, we obtain a polynomial time reduction from the problem of 3-colorability of undirected finite graphs into satisfiability of finite conjunctions over some partial order. This concludes the proof. ∎.

For general partial orders $P$ , however, we still may rely on the 0-normal form $\textsf{nf}_{0}$ and otherwise perform the same constructions as we did for lattices with the 1-normal form. Thus, we define an abstract ordering by

\Psi_{1}\sqsubseteq^{\sharp}\Psi_{2}\qquad\text{iff}\qquad\textsf{nf}_{0}[\Psi% _{1}]=\textsf{nf}_{0}[\Psi_{1}\wedge\Psi_{2}]

(12)

Let us denote the resulting abstract domain by ${\mathcal{}D}[P]_{0}$ . We have:

Theorem 4.4

For an arbitrary po $P$ , the following holds:

1.

If a conjunction $\Psi$ is satisfiable over $P$ then $\textsf{nf}_{0}[\Psi]\neq\bot$ .
2.

For all conjunctions $\Psi_{1},\Psi_{2}$ , $\textsf{nf}_{0}[\Psi_{1}]=\textsf{nf}_{0}[\Psi_{1}\land\Psi_{2}]$ implies that $\Psi_{1}\implies\Psi_{2}$ .

∎

For arbitrary po $P$ , we define the abstract projection in the same way as for conjunctions over a lattice $P$ – only that we now rely on formulas in 0-normal form. For such a formula $\Psi$ the projection ${\left.\kern-1.2pt\Psi\vphantom{|}\right|^{\sharp}_{Y}}$ onto a subset $Y\subseteq{\mathcal{}X}$ of variables, is again defined by removing all constraints mentioning variables not in $Y$ .

It is for the abstract join operation that we must find a more general definition, since least upper bounds or greatest lower bounds of sets of values in $P$ are no longer at hand. Assume that $\Psi_{1},\Psi_{2}$ are in 0-normal form and different from $\bot$ . Then, we define the abstract join $\Psi_{1}\sqcup^{\sharp}\Psi_{2}$ as the conjunction of the following constraints

•

all constraints $x\sqsubseteq y$ , $x,y\in{\mathcal{}X}$ , which occur both in $\Psi_{1}$ and $\Psi_{2}$ ;
•

all constraints $d_{i}\sqsubseteq x$ , $d_{1},d_{2}\in P$ , $x\in{\mathcal{}X}$ where $d_{i}\sqsubseteq x$ occurs in $\Psi_{i}$ for $i=1,2$ and $d_{i}\leq d_{3-i}$ ;
•

all constraints $x\sqsubseteq d_{i}$ , $d_{1},d_{2}\in P$ , $x\in{\mathcal{}X}$ where $x\sqsubseteq d_{i}$ occurs in $\Psi_{i}$ for $i=1,2$ and $d_{3-i}\leq d_{i}$ .

This definition essentially amounts to keeping those ordering constraints between variables in which $\Psi_{1}$ and $\Psi_{2}$ agree and only keep a lower or upper bound if it is more liberal than a corresponding bound of the other formula.

Example 6

For the po $\Sigma^{*}$ with the substring ordering, consider the formulas

\begin{array}[]{lll}\Psi_{1}&=&(\textsf{ab}\sqsubseteq x)\wedge(y\sqsubseteq% \textsf{ab})\wedge(y\sqsubseteq z)\\ \Psi_{2}&=&(\textsf{abc}\sqsubseteq x)\wedge(y\sqsubseteq\textsf{abc})\\ \end{array}

Then, according to our definition,

\Psi_{1}\sqcup^{\sharp}\Psi_{2}=(\textsf{ab}\sqsubseteq x)\wedge(y\sqsubseteq% \textsf{abc})

∎

With these definitions, the binary operation $\sqcup^{\sharp}$ returns the least upper bound of its arguments w.r.t. the ordering $\sqsubseteq^{\sharp}$ . Moreover, ${\mathcal{}D}[P]_{0}$ turns into a 2-decomposable relational domain as well.

Theorem 4.5

For every po $P$ , ${\mathcal{}D}[P]_{0}$ is a 2-decomposable relational domain. ∎

4.3 Directed Domains with Disjunctions

Subsequently, we extend the relational domain ${\mathcal{}D}[P]$ for lattices $P$ (resp. ${\mathcal{}D}[P]_{0}$ for arbitrary po’s) with disjunctions. This extension corresponds to the disjunctive completion of ${\mathcal{}D}[P]$ (resp. ${\mathcal{}D}[P]_{0}$ ) Cousot and Cousot (1992). The elements of the resulting relational domain are disjunctions of normal form conjunctions (1-normal forms if $P$ is a lattice, and 0-normal forms in general) where for $Y\subseteq{\mathcal{}X}$ , the restriction ${\left.\kern-1.2pt\Psi\vphantom{|}\right|_{Y}}$ of the disjunction $\Psi$ is defined as the disjunction of the restrictions ${\left.\kern-1.2ptc\vphantom{|}\right|_{Y}}$ of the normal form conjunctions $c$ contained in $\Psi$ . By definition, restrictions therefore are distributive. Let $\overline{\mathcal{}D}[P]$ (resp. $\overline{\mathcal{}D}[P]_{0}$ ) denote the resulting relational abstract domains. If $P$ is infinite, these relational domains have infinite strictly ascending chains, and therefore must have also strictly descending chains of unbounded length. For the lattice $\mathbb{Z}$ , e.g., there are even infinite strictly descending chains, e.g.,

(0\sqsubseteq x),\;(1\sqsubseteq x),\;(2\sqsubseteq x),\;\ldots

Nonetheless, we have:

Proposition 6

1.

For every po $P$ , $\overline{\mathcal{}D}[P]_{0}$ is 2-nice.
2.

For every lattice $P$ , $\overline{\mathcal{}D}[P]$ is 2-nice.

Proof

Let $D$ denote an arbitrary collection $\langle d_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ with $d_{p}\in\overline{\mathcal{}D}[P]_{0}^{p}$ . Consider an arbitrary formula $d^{\prime}_{p}$ from the set $I_{\overline{\mathcal{}D}[P]}[D]^{p}$ . It consists of disjunctions of conjunctions each of which may only mention variables from $p$ or constants occurring in any of the $d_{p^{\prime}},p^{\prime}\in[{\mathcal{}X}]_{2}$ . Since the number of these formulas is finite, statement (1) follows.

The proof of the second statement is analogous – only that the occurring constants now may also be finite meets of constants occurring in upper-bound constraints of the initial collection or finite joins of constants occurring in lower-boudn constraints. Still, the number of possible formulas remains finite. ∎

Due to Proposition 6, the construction from Section 3 can be applied resulting in the 2-decomposable relational domains $\overline{\mathcal{}D}_{2}^{\sharp}[P]$ (in case of lattices $P$ ) and $\overline{\mathcal{}D}_{2}^{\sharp}[P]_{0}$ (for arbitrary pos).

We exemplify the construction for the lattice $\mathbb{Z}$ of integers, i.e., for $\overline{\mathcal{}D}_{2}^{\sharp}[\mathbb{Z}]$ . One-variable properties expressible in this lattice are disjunctions of interval constraints such as

(x\sqsubseteq 3)\vee(5\sqsubseteq x)\wedge(x\sqsubseteq 7)

Two-variable properties expressible in this lattice are, e.g.,

\begin{array}[]{l}(x\sqsubseteq-1)\wedge(x\sqsubseteq y)\;\;\vee\\ (0\sqsubseteq x)\wedge(x\sqsubseteq 5)\wedge(2\sqsubseteq y)\;\;\vee\\ (6\sqsubseteq x)\wedge(y\sqsubseteq x)\wedge(y\sqsubseteq 19)\end{array}

Arbitrary elements in $\overline{D}_{2}^{\sharp}[\mathbb{Z}]$ can be understood as representations of conjunctions of such properties.

Assume that we are given a collection $Z=\langle s_{p}\rangle_{p\in[{\mathcal{}X}]_{2}}$ with $s_{p}\in\overline{\mathcal{}D}[\mathbb{Z}]^{p}$ – which is not yet stable, and we would like to determine the corresponding stable collection by performing a fixpoint iteration to determine the greatest solution of Eq. 8. During that iteration, we only need to consider upper and lower bounds for each variable $x$ which have already occurred in the formulas $s_{p}$ . Therefore, the length of each intermediate formula is bounded by a polynomial in the input, and each unknown $r_{p}$ is updated only polynomially often. As a consequence, all operations abstract join, abstract meet and abstract projection for $\overline{\mathcal{}D}_{2}^{\sharp}[\mathbb{Z}]$ are polynomial. For arbitrary lattice or po $P$ , we may proceed analogously. Efficiency of the fixpoint iteration, though, remains to be checked separately for every $P$ .

4.4 Assignments

Let us turn to the construction of abstract transformers for assignments. We only describe these for the relational domains ${\mathcal{}D}[P]$ and ${\mathcal{}D}[P]_{0}$ , respectively. We first consider three simple cases: assignments of unknown values; assignments of constants; and copying one variable into the other.

\begin{array}[]{lll}\llbracket x\,{:=}\,?\rrbracket^{\sharp}\,\Psi&=&{\left.% \kern-1.2pt\Psi\vphantom{|}\right|^{\sharp}_{{\mathcal{}X}\setminus\{x\}}}\\ \llbracket x\,{:=}\,d\rrbracket^{\sharp}\,\Psi&=&{\left.\kern-1.2pt\Psi% \vphantom{|}\right|^{\sharp}_{{\mathcal{}X}\setminus\{x\}}}\land(d\sqsubseteq x% )\land(x\sqsubseteq d)\\ \llbracket x\,{:=}\,y\rrbracket^{\sharp}\,\Psi&=&{\left.\kern-1.2pt\Psi% \vphantom{|}\right|^{\sharp}_{{\mathcal{}X}\setminus\{x\}}}\land(x\sqsubseteq y% )\land(y\sqsubseteq x)\end{array}

(13)

for $d\in P$ and $x,y\in{\mathcal{}X}$ with $x\not\equiv y$ . Again, we realize the assignment of unknown values by restriction. For assigning constants and variables, we remark that equality can be expressed via a pair of inequalities.

Individual partial orders, though, may support further forms of right-hand sides in assignments. Subsequently, we enumerate more general forms of assignments for sets and for the prefix, substring, and scattered substring partial orders on strings.

Sets.

For sets, we consider right-hand sides of the form $y_{1}\cap y_{2}$ or $y_{1}\cup y_{2}$ for $y_{1},y_{2}\in{\mathcal{}X}$ with $x\not\in\{y_{1},y_{2}\}$ . We define

\begin{array}[]{lll}\llbracket x\,{:=}\,y_{1}\cap y_{2}\rrbracket^{\sharp}\,% \Psi&=&{\left.\kern-1.2pt\Psi\vphantom{|}\right|^{\sharp}_{{\mathcal{}X}% \setminus\{x\}}}\land(x\sqsubseteq y_{1})\land(x\sqsubseteq y_{2})\\ \llbracket x\,{:=}\,y_{1}\cup y_{2}\rrbracket^{\sharp}\,\Psi&=&{\left.\kern-1.% 2pt\Psi\vphantom{|}\right|^{\sharp}_{{\mathcal{}X}\setminus\{x\}}}\land(y_{1}% \sqsubseteq x)\land(y_{2}\sqsubseteq x)\\ \end{array}

Thus, we obtain after the assignment as new upper (lower) bounds of $x$ in terms of the variables $y_{1}$ and $y_{2}$ . An analogous construction can also be applied to multisets. We remark that the given right-hand sides do not entail that the equalities $x=y_{1}\cap y_{2}$ and $x=y_{1}\cup y_{2}$ , respectively, hold after the assignments.

Prefixes.

In this case, right-hand sides of interest are concatenations of a constant or variable, possibly followed by some further value, i.e., are of the form $s\,?$ for $s$ either in $\Sigma^{*}$ , or in ${\mathcal{}X}\setminus\{x\}$ , with “?” again denoting unknown input. We define

\begin{array}[]{lll}\llbracket x\,{:=}\,s\,?\rrbracket^{\sharp}\,\Psi&=&{\left% .\kern-1.2pt\Psi\vphantom{|}\right|^{\sharp}_{{\mathcal{}X}\setminus\{x\}}}% \land(s\sqsubseteq x)\\ \end{array}

i.e., we only obtain information about lower bounds for $x$ after the assignment but lose all information about upper bounds.

Substrings.

Again, we consider right-hand sides which are concatenations of constants or variables with further values. These now are of the form $?\,s_{1}\,?\ldots?\,s_{k}\,?$ ( $s_{i}\in\Sigma^{*}\cup{\mathcal{}X}\setminus\{x\}$ ). We define

\begin{array}[]{lll}\llbracket x\,{:=}\,?\,s_{1}\,?\ldots?\,s_{k}\,?\rrbracket% ^{\sharp}\,\Psi&=&\begin{array}[t]{@{}l}{\left.\kern-1.2pt\Psi\vphantom{|}% \right|^{\sharp}_{{\mathcal{}X}\setminus\{x\}}}\;\land\\ (s_{1}\sqsubseteq x)\land\ldots\land(s_{k}\sqsubseteq x)\end{array}\end{array}

For scattered substrings, we proceed similarly. In both cases, no information is obtained for upper bounds to the left-hand side variable $x$ after the assignment.

So far, we have assumed that the right-hand side $s$ does not contain the variable $x$ from the left-hand side. In case that $x$ occurs in $s$ , we split the assignment into the sequence

\textsf{tmp}\;{:=}\;s;\;x\;{:=}\;\textsf{tmp};

for some fresh variable tmp, i.e., first store the value of the right-hand side $s$ in tmp whose value only then is assigned to the left-hand side variable $x$ .

These abstract tranformers for the relational domains ${\mathcal{}D}[P]$ (resp. ${\mathcal{}D}[P]_{0}$ ) are readily lifted to corresponding transformers for the weakly relational domains $\overline{\mathcal{}D}_{2}^{\sharp}[P]$ (resp. $\overline{\mathcal{}D}_{2}^{\sharp}[P]_{0}$ ).

4.5 Guards and Negated Inequalities

Let us now turn to a treatment of guards $?c$ for the directed domain $\overline{\mathcal{}D}_{2}^{\sharp}[P]$ where $P$ is a lattice. The case for $\overline{\mathcal{}D}_{2}^{\sharp}[P]_{0}$ (when $P$ is not a lattice) is analogous.

A condition $c$ which consists of an inequality $s_{1}\sqsubseteq s_{2}$ for $s_{i}$ being variables or constants already represents an abstract relation. Therefore, Eq. 2 can be used to define the abstract effect of $\llbracket?c\rrbracket^{\sharp}$ .

If the condition $c$ is a negated inequality $s_{1}\not\sqsubseteq s_{2}$ , this is not immediately possible. Assume that the variables occurring in $c$ all occur in $p\in[{\mathcal{}X}]_{2}$ . Now consider an arbitrary element $D=\langle d_{p^{\prime}}\rangle_{p^{\prime}\in[{\mathcal{}X}]_{2}}$ . In particular, $d_{p}\in\overline{\mathcal{}D}[P]^{p}$ , i.e., $d_{p}=e_{1}\vee\ldots\vee e_{k}$ for conjunctions $e_{1},\ldots,e_{k}$ all using variables from $p$ only. In this case, we define

\begin{array}[]{lll}\llbracket?c\rrbracket^{\sharp}\,D&=&D\sqcap\bigvee\{e_{j}% \mid e_{j}\not\implies(s_{1}\sqsubseteq s_{2})\}\end{array}

Thus, the negated inequality $c$ allows to improve the abstract relation $D$ by possibly removing those conjuncts $e_{j}$ from $d_{p}$ which contradict $c$ .

5 Conclusion

We considered a construction of 2-decomposable relational domains from arbitrary relational domains and exemplified this construction by deriving 2-disjunctive constants from the relational domain of disjunctive constants. For 2-disjunctive constants, it turned out that normalization is prohibitively expensive. Therefore, we provided a second general construction of 2-decomposable relational domains, now based on greatest solutions of constraint systems, which – in the case of disjunctive constants – results in a 2-decomposable domain where the operations join, meet, and restriction are polynomial.

In the second part, we then considered directed domains as conjunctions of inequalities over lattices or general partial orders. For lattices, we provided the 1-normal form for a syntactic characterization of semantic equivalence. We showed that the resulting domain is 2-decomposable and provided precise polynomial algorithms for 1-normalization, projection, join, and meet. For arbitrary partial orders, we use a weaker form of normalization for constructing a weaker 2-decomposable relational domain, for which we again provided polynomial algorithms, now for 0-normalization, projection, join, and meet. Only in the very last step, we added disjunctions by applying the general construction of 2-decomposable domain based on approximate normalization from the previous section. Both for 2-disjunctive constants and for directed domains, we indicated how transfer functions for assignments and guards can be constructed.

Our results can be extended in several directions. In the case of constants, one may, e.g., additionally, track equalities as well as disequalities between variables; likewise for directed domains, an extensive study of the impact of negated inequalities could be of interest. Here, we only studied lattice operations and transfer functions. Directed domains, though, may have infinite strictly ascending chains. Therefore, tailored widening and narrowing operators are of interest when these domains are employed for practical static analysis.

Acknowledgements.

This work has been supported by Shota Rustaveli National Science Foundation of Georgia under the project FR-21-7973 and by Deutsche Forschungsgemeinschaft (DFG) – 378803395/2428 ConVeY.

References

Abdulla et al. (2019) Abdulla, P.A., Atig, M.F., Diep, B.P., Holík, L., Janku, P.: Chain-free string constraints. In: Chen, Y., Cheng, C., Esparza, J. (eds.) Automated Technology for Verification and Analysis - 17th International Symposium, ATVA 2019, Taipei, Taiwan, October 28-31, 2019, Proceedings, Lecture Notes in Computer Science, vol. 11781, pp. 277–293. Springer (2019). URL https://doi.org/10.1007/978-3-030-31784-3_16
Albert et al. (2014) Albert, E., Arenas, P., Genaim, S., Puebla, G., Román-Díez, G.: Conditional termination of loops over heap-allocated data. Sci. Comput. Program. 92, 2–24 (2014). URL https://doi.org/10.1016/j.scico.2013.04.006
Arceri et al. (2022) Arceri, V., Olliaro, M., Cortesi, A., Ferrara, P.: Relational string abstract domains. In: Finkbeiner, B., Wies, T. (eds.) Verification, Model Checking, and Abstract Interpretation - 23rd International Conference, VMCAI 2022, Philadelphia, PA, USA, January 16-18, 2022, Proceedings, Lecture Notes in Computer Science, vol. 13182, pp. 20–42. Springer (2022). URL https://doi.org/10.1007/978-3-030-94583-1_2
Bagnara et al. (2008) Bagnara, R., Hill, P.M., Zaffanella, E.: An improved tight closure algorithm for integer octagonal constraints. In: Logozzo, F., Peled, D.A., Zuck, L.D. (eds.) Verification, Model Checking, and Abstract Interpretation, pp. 8–21. Springer Berlin Heidelberg, Berlin, Heidelberg (2008)
Bagnara et al. (2009) Bagnara, R., Hill, P.M., Zaffanella, E.: Weakly-relational shapes for numeric abstractions: improved algorithms and proofs of correctness. Formal Methods Syst. Des. 35(3), 279–323 (2009). URL https://doi.org/10.1007/s10703-009-0073-1
Beckert et al. (2000) Beckert, B., Hähnle, R., Manyà, F.: The 2-sat problem of regular signed CNF formulas. In: 30th IEEE International Symposium on Multiple-Valued Logic, ISMVL 2000, Portland, Oregon, USA, May 23-25, 2000, Proceedings, pp. 331–336. IEEE Computer Society (2000). URL https://doi.org/10.1109/ISMVL.2000.848640
Chawdhary et al. (2019) Chawdhary, A., Robbins, E., King, A.: Incrementally closing octagons. Formal Methods Syst. Des. 54(2), 232–277 (2019). URL https://doi.org/10.1007/s10703-017-0314-7
Chen et al. (2018) Chen, T., Chen, Y., Hague, M., Lin, A.W., Wu, Z.: What is decidable about string constraints with the replaceall function. Proc. ACM Program. Lang. 2(POPL), 3:1–3:29 (2018). URL https://doi.org/10.1145/3158091
Cousot and Cousot (1992) Cousot, P., Cousot, R.: Abstract interpretation frameworks. Journal of logic and computation 2(4), 511–547 (1992)
Cousot and Halbwachs (1978) Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Aho, A.V., Zilles, S.N., Szymanski, T.G. (eds.) Conference Record of the Fifth Annual ACM Symposium on Principles of Programming Languages, Tucson, Arizona, USA, January 1978, pp. 84–96. ACM Press (1978). URL https://doi.org/10.1145/512760.512770
Day et al. (2023) Day, J.D., Ganesh, V., Grewal, N., Manea, F.: On the expressive power of string constraints. Proc. ACM Program. Lang. 7(POPL), 278–308 (2023). URL https://doi.org/10.1145/3571203
Dor et al. (2001) Dor, N., Rodeh, M., Sagiv, S.: Cleanness checking of string manipulations in C programs via integer analysis. In: Cousot, P. (ed.) Static Analysis, 8th International Symposium, SAS 2001, Paris, France, July 16-18, 2001, Proceedings, pp. 194–212. Springer, LNCS 2126 (2001). URL https://doi.org/10.1007/3-540-47764-0_12
Ganesh et al. (2011) Ganesh, V., Minnes, M., Solar-Lezama, A., Rinard, M.: What is decidable about strings? (2011)
Karr (1976) Karr, M.: Affine relationships among variables of a program. Acta Informatica 6, 133–151 (1976). URL https://doi.org/10.1007/BF00268497
Miné (2001) Miné, A.: The octagon abstract domain. In: WCRE’ 01, p. 310. IEEE Computer Society (2001). DOI 10.1109/WCRE.2001.957836
Miné (2004) Miné, A.: Weakly relational numerical abstract domains. (domaines numériques abstraits faiblement relationnels). Ph.D. thesis, École Polytechnique, Palaiseau, France (2004). URL https://tel.archives-ouvertes.fr/tel-00136630
Miné (2006) Miné, A.: The octagon abstract domain. Higher Order Symbol. Comput. 19(1), 31–100 (2006). URL https://doi.org/10.1007/s10990-006-8609-1
Müller-Olm and Seidl (2004) Müller-Olm, M., Seidl, H.: Precise interprocedural analysis through linear algebra. In: Jones, N.D., Leroy, X. (eds.) Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2004, Venice, Italy, January 14-16, 2004, pp. 330–341. ACM (2004). URL https://doi.org/10.1145/964001.964029
Müller-Olm and Seidl (2007) Müller-Olm, M., Seidl, H.: Analysis of modular arithmetic. ACM Trans. Program. Lang. Syst. 29(5), 29 (2007). URL https://doi.org/10.1145/1275497.1275504
Sankaranarayanan et al. (2005) Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Scalable analysis of linear systems using mathematical programming. In: Cousot, R. (ed.) Verification, Model Checking, and Abstract Interpretation, LNCS, vol. 3385, pp. 25–41. Springer, Berlin, Heidelberg (2005)
Schwarz et al. (2023) Schwarz, M., Saan, S., Seidl, H., Erhard, J., Vojdani, V.: Clustered relational thread-modular abstract interpretation with local traces. In: Wies, T. (ed.) Programming Languages and Systems - 32nd European Symposium on Programming, ESOP 2023, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2023, Paris, France, April 22-27, 2023, Proceedings, Lecture Notes in Computer Science, vol. 13990, pp. 28–58. Springer (2023). URL https://doi.org/10.1007/978-3-031-30044-8_2
Schwarz and Seidl (2023) Schwarz, M., Seidl, H.: Octagons revisited. In: Hermenegildo, M.V., Morales, J.F. (eds.) Static Analysis, pp. 485–507. Springer Nature Switzerland, Cham (2023)
Simon et al. (2002) Simon, A., King, A., Howe, J.M.: Two variables per linear inequality as an abstract domain. In: Leuschel, M. (ed.) Logic Based Program Synthesis and Transformation, 12th International Workshop, LOPSTR 2002, Madrid, Spain, September 17-20,2002, Revised Selected Papers, LNCS, vol. 2664, pp. 71–89. Springer (2002). URL https://doi.org/10.1007/3-540-45013-0_7
Yu et al. (2011) Yu, F., Bultan, T., Hardekopf, B.: String abstractions for string verification. In: Groce, A., Musuvathi, M. (eds.) Model Checking Software - 18th International SPIN Workshop, Snowbird, UT, USA, July 14-15, 2011. Proceedings, Lecture Notes in Computer Science, vol. 6823, pp. 20–37. Springer (2011). URL https://doi.org/10.1007/978-3-642-22306-8_3