Conference Record OZ the FIZtn AnnuaL ACM Symposium on Prlnclples or Programming Language

AUTOMATIC DISCOVERY OF LINEAR RESTRAINTS AMONGVARIABLES OF A PROGRAM

Patrick Cousot* and Nicolas Halbwachs**

Laboratoire d’Informatique, U.S.M.G., BP. 53

38041 Grenoble c6dex, France

1. INTRODUCTION

The model of abstract interpretation of programs

developed by Cousot[1976], Cousot [1977] is applied

to the static determination of linear equality or

inequality relations among variables of programs.

For example, consider the following sorting

procedure [Knuth[1973], p.107) :

procedure BUBBLESORT[integer va2ue N;

integer arra~[l:N] K];

begi~ integer B,J,T;

{1}B:=N;

{2}while B21 do

{3}J:=l; T:=O:

{4}white Js(B-11 do

{5}if KIJ]>KIJ+I] then

EXCHANGEIJ,J+I); {no side effects on

{6} N,B,J,T}

{7}T:=J,

{B}ff;

{9}J:=J+’l;

{10} :$T=o then return ~i

{11};

{12}B:=T;

{13} ~:$,“

Without user provided inductive assertions nor

human interaction we have automatically determined

[in 1.582 seconds of C.P.U. time) that the following

restraints must hold among the variables of the

above procedure:

{1} : B=N

{2} ; I<B<N

{3} : I<BSN, J=l, T=O

{4}, {5}, {6} : B<N, T>O, T+I<J, J+’l<B

{7} : B<N, J>’l, J+I<B, J=T

{8] : B<N, J+I<B, J>’l, T>o, TsJ

{9} : B<N, J<Ej, J>2, T>O, T+I<J

[10},[11} , FJ<N, J<FJ, T>o, T+I<J, B<J+I

{12} : JsN, T20, T+IsJ, T=5

{13} : B<N, B<l

*

**

Attach& de Recherche au C.N.R.S. , Laboratoire

Associ6 n07

Allocataire de Recherche O.G.R.S.T.

This work was supported by C.N.R.S. under grant

ATP-Informatique 03119.

A certain number of classical data flow analysis

techniques are included in or generalized by the

determination of linear equality relations among

program variables. For example constant propagation

can be understood as the discovery of very simple

linear equality relations among variables [such as

X=1, Y=51. However the resolution of the more

general problem of determining linear equality

relations among variables allows the discovery of

symbolic constants [such as X=N, Y=5*N+I). The

same way, common subexpressions can be recognized

which are not formally identical but are semanti-

cally equivalent because of the relationships among

variables. Also the loop invariant computations as

well as loop induction variables [modified inside

the loop by the same loop invariant quantity] can

be determined on a basis which is not purely

syntactical . The problem of discovering linear

equality relations is in fact a particular case of

the one of discovering linear inequality relations

among the program variables. The main use of these

inequality relationships is to determine at compile

time whether the value of an expression is within

a specified numeric or symbolic subrange of the

integers or reals. This includes compile time

overflow, integer subrange and array bound checking

In contrast to Suzuki-Ishihata[1977] we do not

simply try to verify the legality assertions [such

as verifying that array subscripts are within the

declared range) but inStQad we try to discover the

assertions [of linear type] that can be deduced

from the semantics of the program. The advantageis that we can often discover relations which are

never stated explicitly in the program. For

example, we can discover that an integer variable

lies in a subrange of its declared range or that

two references AII] and A[J] to two elements of the

same array refer to different storage locations

[since e.g. 12J+I) or that some piece of code isdead.

The problem of determining equality relation-

ships between a linear combination of the variables

of the program and a constant was solved by Karr

[1976] . His approach was based on Wepjbreit[1975]’s

algorithm which requires that the properties to be

discovered form a lattice every strictly increasing

chain of which is of finite length. This assumptiuis not valid when considering inequality relation-

ships [because of chains such as [x=11, [I<xS2), ...,

(Isxsn),. ..).

84

The model of Cousot [1977] is general enough to cope

with this problem and we briefly recall it in

section 2 as formulated in Cousot [1976]. In sectim

3 we study formal representations for the particular

type of assertions that we consider. In section 4

we describe the linear restraints transformer corre~

pending to elementary instructions of the language.

The algorithm performing the global analysis of

programs is presented in section 5 by means ofsimple examples. Section 6 gives more convincing

examples and Section 7 discusses the experimental

implementation that has been realized.

2. APPROXIMATEANALYSIS OF PROGRAMPROPERTIES,Caus,ot [1976].

For purposes of exposition, a sequential program

will be represented by a connected finite flowchart

with one entry node and assignment, test, junction

and exit nodes. The evaluations of the right-hand

side of an assignment and of the boolean expression

in a test node are assumed not to affect the values

of any variables. Thus all side-effect phenomena

must be modeled as assignment statements. The

junction nodes contain no computations and represent

the merge of program execution paths.

The analysis of a program consists in attaching

an assertion Pi (VI, ..., V ) to each arc i of the

program. These predicat~s on the variables

VI,.. .,Vn are not necessarily of the most general

form but instead are designed to model a specific

aspect of the semantic properties of the program.

The assertion on the entry arc to the program

represents what is known about the variables at the

start of execution. For each other type of program

node a transformation specifies the assertion

associated with the output arc(s) of the node in

terms of the assertions on the input arc[s] to the

node and where relevant the content of the node.

Hence we have established a system of equations

between the local assertions which can be solved by

successive approximations [Cousot [1977] ]. Starting

from no information on each arc, this resolution

consists in propagating the entry assertion around

the program graph by application of the transforma-

tion described for each type of node until stabili-

zation. All possible paths are followed pseudo-

parallely with synchronization on junction nodes.

It is assumed that each cycle in the program graph

contains a specially marked junction node which is

called a loop junction node. In order to ensure

stabilization the transformation for a loop junctim

node will be an approximation of the transformation

for ordinary junction nodes. More precisely let

P. ., . . . . Pimj be the assertions associated with11 J

the input arcs of a junction node at step j. Let

Qi be the assertion associated with the output arc.,

of this node. Then Qj = f(P. ., . . . . P. ). For11 J lmj

a loop junction node we have

Qj = Q.~-1 Vj f(Pi,j, -.-, Pimj) where the tiiu’e?zing

operation V. performed at step j is such that

{Q VjP=>Q} ‘and {Q VjP*P} and for any chain

{PO=> PI=>.,, =~P. =>,,,} the chain QO=PO,

Ql=QOvlpl> . . . . ~j=Qj_lVjpjJ . . . is not an infinite

strictly increasing chain.

In the examples we shall use the algorithm

described loosely above and in more detail in

Cousot[1976].

3. FORMALREPRESENTATIONSOF LINEAR RESTRAINTS AMONGVARIABLES OF A PROGRAM.

3.1. Linear system of a convex polyhedron.

Letxl, . . . . Xn be the variables of the program.

For simplicity we assume that the values of the

variables belong to the set I? of reals. The set of

solutions to a system of linear equations

{~~=l[a!xi)=bj : j=l..m} (where a!, bj~~], if such

solutions exist, is a linear varie>y of I?n . Alinear variety of dimension n-1 is an hyperpzane.The set of solutions to a linear inequality

x~=l “(axl)sb is a ebseci ha2&spaee of Rn. Fors~mplicity, strict inequalities are not considered,

By Linear restraint we mean either a linear Bquality

or a linear inequality. In the formal reasoning we

often consider that an equation can be viewed as

two opposite inequalities.

A subset C of R is said to be convex if and

only if {’v’xl, X26C, VA6[ 0,1], Axl+(l-A)x2e C}. For

example linear varieties and half-spaces are convex.

The intersection of two convex sets is convex, but

the union of two convex sets is not necessarily

convex.

The set of solutions to a finite system of line=

inequalities can be interpreted geometrically as the

closed convex polyhedron of IF/ defined by the

intersection of the closed halfspaces corresponding

to each inequality.

3.2. The frame of a convex polyhedron, weyl [1950],Klee[1959], Charnes[1953].

Let Vl, . . . . Vp be vectors in I?n . A vector of

the form ~~.l(V.Vi] where for each i=l ..p we haveV, ● ~ is calle~ a zinea~ ~ombination of the V..

T/ie set of all linear combinations of the V. islthe

linear vapiety generated by the V.. A basis of a

linear variety L is a minimal setlof vectors

generating L.

A vector of the form Z~.l[U.Vi) where for eachi=l..p we have u.c~+ = {PcF? : u20} is called a

positive eombina~ion of the Vi. The set of all

positive combinations of the Vi is the eoniea2 huZ

of the V..

A vec%or of the form X~=l(AiVi) where for each

i=l..p we have ~. <m+ with Z?~=l[x.)=l is called aconvex eombinati&z of the vi. Thelset of allconvex combinations of the V i is the convex hullof the V..

A ve~~em of a polyhedron P is a point x of P

which is not a convex combination of other points

of P: {(x=Z~=qAixi) and [Vi=l. .p, xicP and Ai20)

and I~=l[li)=l} implies {Vi=l. .p, [ki=O or Xi=xl}.

A ray of a polyhedron P is a vector r such that

there exists an half-line par~llel to r and entirely

included in P : {VXCP, VUelR , x+~rcP}. +Two rays

r and r’ are equal if and only if {]ue~ : r=Ur’}.

A ray of a polyhedron P is called an exkreme ray

if and only if it is noi. a positive combination of

other rays rl, . . . . rfl of p:

{Vj=’1. .q, (u.=01 or (r.=r)}. Intuitively, a ray

(extreme ray; of a pol~hedron is a point (vertex)translated to infinity.

85

A Zin.e of a polyhedron P is a vector d such

that both d and -d are rays of P: {VX,P, ‘d~,lR,

~+lldcp}. A polyhedron which contains at least one

line is called a e.g2inda~. The linear variety

generated by all the lines of a cylinder is the

greatest linear variety included in the cylinder.

A polyhedron that contains no line has only a finite

number of vertices and of extreme rays.

A bounded poLyhedrWz has neither lines nor rays.

Each point of a bounded polyhedron is a convex com-

bination of the vertices of the polyhedron so that

a bounded polyhedron is the convex-hull of its

vertices.

Each point x of a polyhedron P which is not a

cylinder can be expressed as

combination of the vertices

of a positive combination of

{r,, . . . . rp} ofP:

la,, .,., Aflc[o,ll, ;Lll, . . .

the sum of a convex

Sl, ,.., so} ofPand

the extreme rays

UPCIR+:f=l[Ai)=l

Let L be the greatest linear variety included in

a cylinder P. Let L’ be a linear variety orthogonal

to L. Then the intersection of L’ with P is a

convex polyhedron which contains no line and which

is called a section of P. Each point of a cylinder

can be expressed as the sum of a convex combination

of the vertices of a section of P, a positive

combination of the extreme rays of this section and

a linear combination of the vectors of a basis of

the greatest linear variety included in P.

By misuse of words the vertices and rays of a

cylinder will be the vertices and rays of a section

of that cylinder.

A closed convex polyhedron P can be characterized

by three sets S = {sl, . . . . so}, R = {rl, . . . . ro],

D={d], . . . . dd}of vectors of R“ called the j%mme

of the polyhedron as follows:

{X6P}+>{+A,, . . . . +[o,l], ill,, . . . . pnel?+,

3V1, . . ..va<m : Z:=; (ai)=l ~=q ;aisi) +and x =x’?

Z:=q (lJjrj) + Z~=l(vkdk)}.

We have two equivalent representations of a

closed convex polyhedron either as the set of solu–

tions of its system of linear restraints or as the

convex hull of its frame.

Ezamp2e.’ The polyhedron defined by the following

system of restraints: {x1~2, xz~’l, X1+2X226,

X1 -2x22-6} is spanned by the following frame [see

the diagram]

vertices: d:o:pl ;<(3extreme rays:

o’r2=

1no line,

2x4

~fi

..,,..

2

11 *

End of example. o 2 4 X1

Before looking at the problem of conversion bet-

ween these representations we need some definitions.

A j%ee of a polyhedron P is a convex polyhedronFsP such that if a point x lies in F then each

segment included in P and containing x is included

in F: {xcF, p,qcP, 1<[0,1] and x=Ap+(l-A)q} => {pEF

and qeF}.

The a%nensicm of a polyhedron P is the dimension

of the least linear variety containing P.

A face of dimension k is called a k-face. An

edge is a l-face. The vertices of a polyhedron

containing no line arenits O–faces Jthus a cylinder

has no O-face]. Let Zi=l [aix ) s b be a linear

inequality defining the polyhedron P. Then if the

intersection of the hyperplane defined by H =. .

{x : ~~=q(aixll=bl} with P is not empty, it is a

face of P.

We say that a point s saturates the inequality

[aixl) s bi if and only if X~=qZ;=l “ [aisil = bi.

We say that the ray r satu~ates this inequality if

and only if X~=l[airl)=O.

Let 6 be the dimension of the greatest linear

variety included in the polyhedron P. Two vertices

are said to be cz~aeent iff they lie on the same

edge (i.e. if 6*O we mean the edge of the section).

It follows that the number of inequalities saturated

at the same time by two adjacent vertices is at

least n-&1.

Two extreme rays are said to be czu?jaeent iff they

belong to the same 2-face. Therefore they saturate

at least n-~-2 inequalities simultaneously.

Finally, a vertex s and a ray r are adjacent iff

s lies on an infinite edge which is parallel to r.

Therefore s must satur~te all the inequalities

satured by r.

3.3. Conversions between the representations of apolyhedron by a system of linear restraintsand by a frame.

Some operations that we have to perform on closed

convex polyhedra are easy when these polyhedra are

represented by systems of linear restraints while

others are more simple when the frame representation

is used. Hence we must be able to make conversions

from one representation to the other.

3.3.1. Conversion from the frame to the linearrestraints representation.

This conversion consists in finding a system of

restraints for the convex–hull of the elements

[points, rays, lines] of a frame. This conversion

is followed by a simplification of the system of

restraints.

3.3.1.1. Convex-hull of a finite frame.

Let S={s], . . . . so],R={rl, . . ..rP}. O={dl, . . ..d6}

be the frame of a non-empty polyhedron (so that S#O).The points x of this polyhedron are characterized bythe existence ofkl, . . . . kd, pl, . . ..po. vl, . . . .

V <I? such that:6

- O<ai<l for i=l, . . ..o

-+=4 [Xil =1

- OS~j for j=l,

–X=l :=l(A.S.11

. . . P

6+ 1P (U, r.) + Zk=lJ=l J J ‘Vkdk)

86

Hence this polyhedron is characterized by a systemn+rJ+p+~

of linear restraints in 3? upon the variables

‘1[1=1 ..n), ki(i=l. .o), Vj [j=l. .D), vk[k=l. .dl.

Eliminating the Ai,uj,vk we get a system of linear

restraints in lRn . This elimination can always be

done by the projection operation used in Kuhn[1956].

Let us represent the system of m inequalities byAX<B where A is a mxn real matrix and B a m-vector.

In order to eliminate the variable Xc we project

according to the column c upon AXSB in order to get

a—

simplified projected system defined as follows:

For each row A1 such A~=O, the restraint AIXSB1

is part of the projected system.

For each two rows A11

and A’z such that

A~l .A~2<othe restraint [lA~ll.A12+[A~21.A11]x<

lA~l\.B12+ lA~21.B1’ is part of the projected

system.

The projected system contains only zeros in thecolumn c,hence it is independent of Xc.

Example: Eliminating X in the system

End of examp2e

The convex-hull of the frame S, R, O is computed

by successive approximations Pl, P2, . . . . Po+p+~

as follows:

- Pl is the point sl so that the corresponding

system of restraints is (X=51). Then for each

i=2. .0, Pi is the convex-hull of P. and the point1–1

Si. Therefom{xcPi} if and only if {jxlsPi_l,

iac[o,l] : x=Axl+[l-A)si}. If AXSB is the system of

restraints describing P it can be shown that thisi–~

is equivalent to {]lcIR : OSASI and AX+AIAsi-Bl<Asi}

Then by a projection according to the column of 1,

k can be eliminated to get a system of restraints

of Pi.

- For each j=o+l, . . ..o+p. P: is obtained by , ad-J

joining the ray r. to P. IfP. correspondsJ ‘U ~-l” J-l

to AX<X, this consists in eliminating v in [u>O,

AX-pAr. <B].J ‘IS

- For each k=cr+p+l, . . ..o+p+d. Pk is built from Pk_l

by adjonction of the line dk-[a+pl” If ‘k-1 ‘s

described by AXSB, this consists in eliminating v

in (AX-vAd <B] .k-[cr’p)-

Finally, P is theo+p+13

convex-hull of S, R and O.

. The frame of a polyhedron in l?’is given by

‘::[{)(i)l R = Ic)l ‘=IC)[

The first approximation P1={sI} is defined by the

system of restraints [xl=l, X2=-I, X3=O). The

second approximation P2 is the convex-hull of PI

and {s2] that is [OSkSl, X1-2X=-I, X2+2X=1, X3=OI.

Eliminating A we get (X3=0, X1+X2=0, -ls.lsl,

-l<x’<l]. P3 is obtained by adjoining the ray

[0,0,1) to P2 that is (u>O, X1+X2=0, -IsxIsI,

-Isx’<1, X3-U=O). Eliminating p we get [X1+X3=0,

-1<.1<1, -l<x’<l, x3xl). The last approximation Pq

is the convex-hull of P3 and the line [1,1,01 that

is [x1+x2-2v=0, -lsxl-vsl, -lsX2-vsl, X3ZCI).

Eliminating v we get the final solution [X3>0,

-2<X1-X*S2).

End of example.

3.3.1.2. Simplification of a system of linearinequalities.

It is often the case that projections lead to

projected systems of restraints containing a great

number of irrelevant restraints which can be elimi-

nated without changing the polyhedron represented

by the system of restraints. For the sake of

efficiency these irrelevant restraints must be ex-

cluded. Knowing a frame of the polyhedron, the

corresponding system of linear inequalities can be

simplified according to the following remarks due

to Lanery[1966]:

- An inequality which is never saturated by a vertex

of the frame is irrelevant.

- An inequality which is saturated by all vertices

and all rays of the frame represents an equality.

All the equalities are found in that way.

- Let Cl : [alxsbl) and C2 : [a2xsb21 be two

inequations of the system of restraints which are

not equations. Let G be the quasi-ordering

defined by {CIGC2} e>{{Vs~S, (als=bl) >

[azs=bzl} and {VreR, [alr=O) ~ [a2r=O)}}. Hence

C1EC2 means that C2 is saturated by any vertex

or ray saturating Cl. If C,ECz but not C2EClthen

Cl is irrelevant. If CIGC2 and C2ECI then one

and only one of the inequations is irrelevant so

that one of them can be excluded.

Applying these results to a system of restraints we

oLtain a minimal system of restraints (with no

irrelevant inequality) corresponding to the same

polyhedron.

3.4. Conversion from the linear restraints to theframe representation of the polyhedron

Based on the pivot method of linear programming,

numerous algorithms have been designed to find all

vertices of a convex polyhedron [Balineki[1961],

Lanery[1966], Manas-Nedoma[1968], Mattheis[1973],

Oyer-Proll[1977] 1. We shall give a brief descrip-

tion of Lanery’s method which is general enough to

find a frame (vertices, extreme rays, lines) of a

convex polyhedron. We first recall some elements

of linear programming (Simonnard [1973]].

87

3.4.1. Basic concepts of linear programming

A system of linear inequalities:

[3.4.1.1] (Z~=fl [a~xil<bj : j=l..m)

can be written in the equivalent form:

( Zni=l(a~ xi)+YJ ‘bj, yj20 :j=l ..ml.

Hence a system of restraints can be written in

standard form:13.4.1.2] AX=B, XE20

where A is a (n+m)xm real matrix, B is an m-vector

E={n+l, . . . . n+m}, F={’1, . . ..n}. The variables

{xi : icF} are the initial var{ables, the

{xi : i<E} are the .sLaek variables.

A basis of the system [3.4.1.2] is a non singular

mxm submatrix AI

of A. The system can be written in

canonicat form with respect to the basis Ay:L

[3.4.1.3] X1+(A~’AJ)XJ = A~lB, XE20 where

J={l, ... ,n+m}-10 The variables xl such that ~-cl’

are said to be in basis. The basis A. is feasible1-

if and only if [A~lB]E>O. Two feasible bases AI and

AJ are said to be a~aeent if and only if the

cardinal of the set InJ is equal to m-l. If two

bases are adjacent the classical pivot operation

transforms the system written in canonical form with

respect to AT into an equivalent system in canoni-

cal form with respect to AJ-

The art{ficia2 basis

method which is the initialization step of the

s-impzez method transforms the system of restraints

[3.4.1.2] into an equivalent system in canonical

form [3.4.1.3] with respect to a feasible basis of

[3.4,1.2] whenever such a basis exists.

3.4.2. Principles of Lanery’s method.

The graph of the adjacency relation on the set

{AI} of feasible bases containing all initial

variables [i.e. such that FcI] is connected. Hence

given such a basis we can by successive pivoting

operations and an exhaustive traversal technique

find all feasible basis of a given system of res-

traints.

- If AT is a feasible basis such that FcI then the

Fvectorl(A~lB) corresponds to a vertex of the convex

polyhedron defined by the system of restraints. To

each vertex of a polyhedron containing no line

corresponds at least one feasible basis. If two

vertices are adjacent then there are two adjacent

feasible bases respectively corresponding to them.

- Let [AX=B, XE201 be the canonical form of a syst~m

of restraints with respect to the feasible basis AI

containing all initial variables. Then Lanery

shows that if a column i c[E-1] satisfies theo

condition:

[3.4.2.1] {V.jc[l,m], {Aj>O} ~ {Vk6[EOI], Aj=O}}% K

then the vector r~Rn defined by rl=-A~~ where

is[l,n] and j is the unique index such”that A$ =1o

is an extreme ray of the polyhedron. Applying thisresult to each column i. verifying [3.4.2.1] in each

feasible basis corresponding to a vertex s, we find

all extreme rays adjacent to s. Since each extreme

ray of a polyhedron that contains no line is adja-

cent to a vertex we can find all extreme rays of

such a polyhedron.

- For polyhedra containing a line there is no

feasible bases containing all initial variables.

Hence let [AX=B, XE~O) be the canonical form with

respect to any feasible basis AI-

Let iOc[F-ll be

a column satisfying the condition:

[3.4.2.2] {Vjc[’l,m], VkeI, {A! zO}= {A~=O or keF}“ 10

Let d[io)be the vector of ~ the i-th component of

which is defined by:

d[ioli = ~~ i.io then 1

elsif -Ajo {where j.iEI then is the10

unique index such

that A~Q =1}

else O fi; o

Then Lanery shows that d[io ) corresponds to a line

of the polyhedron.

Alsn if the basis AI is such that each io< (F-l)

verifies the property [3.4.2.2], then the set

{d(io] : ioc(F–l)} is a basis of the greatest linear

variety contained in the polyhedron.

3.4.3. Algorithm for finding the frame of a convex

polyhedron.

Let AX<B be a system of m linear restraints

among the variables XeRn.

1-

2-

3-

4-

Build the standard form AIO]X=BIO], XE20, where

xclRm+n .

Apply the first step of the eimplex method.

If there is no feasible bases, the polyhedronis empty. Otherwise we get the system

AII]X=BII], XE20 in canonical form with respect

to the feasible basis A11

with [BII]IE>O.

While there exists an initial variable staying

out of the basis and satisfying [3.4.2.2] per-

form a pivoting which puts this variable in the

basis by removing a slack variable from the

basis.

We get a system A[21XsB[21, XE20 in canonical

form with respect”to the basis 12. Two subcases

must be considered:

4.1.If all initial variables are in the basis

[Fc121, then the polyhedron contains no line

and a vertex has been found. Then traverseexhaustively all feasible bases of the sys-

tem and note at each step the vertex and

the ray that are found. An efficient algo-

rithm for this travel is given by Oyer-

Proll[19771.

4.2.The initial variables X1l , . . . . X16 possi-

bly remaining out of the basis verify

[3.4.2.2]. So {d[iI), . . . . d(id)} is a

basis of the greatest linear variety

contained in the polyhedron. The following

system of retraints

88

{AXSB, XJ=I d[ik]JXJ =0, Vk=l. .d} defines a

new polyhedron P’ which is a section of the

initial polyhedron. Applying the algorithm

to this new system of restraints case 4.1 is

applicable since P’ contains no lines so that

the algorithm terminates.

Esmrnpze: Let us compute a frame of the polyhedron P

corresponding to the following system of restraints:

[

-x~+x~-xj < 0

[s1] -xl < -’l

–x~-x~+x~ < 0

-x~+x~ s 3

l-Using the matrix notations for denoting systems

of equations the standard form of [S1] is:

x’ X2 X3 x“ X5 X6 X7 I

-1 1 -11000 0

[so]:;_;;:::: -:

0 -110001 3

The system [S2] is in canonical form with respect

to the infeasible basis A{4,5,6,7}”

2-The artificial basis method supplies the system

[S3]in canonical form with respect to the basis

‘~m

3-Then we put into the basis as many initial

variables as we can, we get the basis A{2,1,6,7}:

‘S’]m

4-The initial variable X3 remains out of the basis

and cannot be put into the basis whithout getting

X2 out. The third column verifies [3.4.2.2J. Hence

the vector d=[O,l,l] is the only line of the poly-

hedron P. Let us build the system of restraints of

a section P’ of P.

[

–X1+X*–X3 s o

-xl < –1

[s51 -X,-X2+X3 s o

-X2+X 533

X2+X =03

Applying (1) and (2] to [s5] we get the canonical

form with respect to the feasible basis A{2,3>1>6,7}

which contains all initial variables. Thus we have

found a first vertex of P’ and we start the tra-

versal of the graph of vertices:

X1 X2 X3 X* X5 X6 X7

01 0 ‘V2 -’V2 o 0 1/2

001 -1/2 1/2 0 0 -1/2

[s6] 1 0 0 0 -’1 0 0 ‘1

0001-21 0 2

Ooofi -lo 1 4

Basis: A{2,,,1 >6,7}

Vertex: s1=[1,1/2,-1/21Column 5 satisfies [3.4.2.1]

Ray : r~=[l,l/2,-l/2)

Adjacent feasible basis: A{2,3, 1,!+,7}

xl X2 X3 X4 X5 X6 X7 I

0100 1/2 -1/2 o -1/2001 0 -1/2 1/2 o 1/2

[s71 ‘1 o 0 0-1 0 0 1

0001-21 0 200001-1 1 2

Basis:A{2>3,, >4,7}

Vertex: s2=(l,-1/2,1/2)No column satisfies [3.4.2.1]

Adjacent feasible bases: A{2,3, 1>6,7}

already found

and A{2,3,1>+>5}

010000 -1/2 -3/2

o 1 0 0 0 -’1/2

[s81: o 0 0 0 -1 13/2

3

0001 0 -’l 2 6

00001-1 1 2

Basis: A{2,3,1,4,5}

Vertex: s3=[3,-3/2,3/21

Column 6 satisfies [3.4.2.1]

F?ay: rz=[l,O,Ol

Adjacent feasible basis: A{2,3,,,4,7}

already found

All feasible bases that contain initial variables

have been found, the algorithm terminates with the

following frame for P:

[S = {[1,1/2,-l/2),(1,-’l/2,l/2),[3, -3/2,3/21},

R = {[1,1/2,-1/2)>(1,0,0)},

o = {[0,1,1)}]

End of exaqle.

3.4.4. Simplification of a frame

Lanery[1966] proposes a method for eliminating

all irrelevant members of a frame when a system of

restraints of the polyhedron is known. This method

is the dual of the one given at paragraph 3.3.1.2.

for simplifying a system of inequalities. Lanery’s

method is based on the following results:

- A vertex or a ray saturating no inequality is

irrelevant.

- A ray saturating all restraints corresponds to a

line.

- If e~ and e2 are two vertices or two rays [which

are not lines) in the frame the quasi-ordering G

is defined by:

{el=ez} <=> {every inequality satured by el issatured by ez} then:

{elEez} and {e2#el}imply that el is irrelevant

{elzez} and {ezzel} imply that one but only one ofthe two elements may be eliminated.

89

3.5. On the use of two representations forassertions.

The search for the frame of a polyhedron as

described above may become very expensive although

many important optimization are possible. The

number of vertices of a polyhedron generated in I?n

by m inequalities is known to be bounded only by

functions increasing very quickly with m and n,

Saaty[1955], Klee[1964]. So the use of this method

should be avoided except when applied to polyhedra

which are thought to have very few vertices.

However the use of two representations is necessary

for the following reasons:

Some operations like the convex-hull of two poly-

hedra can only be performed on the frame

representation, others like widening require the

restraints representation.

In order to define the inclusion relation between

two polyhedra it is very useful to know both

representations. Indeed PIGP2 if and only if

each element of the frame of PI satifies the

restraint of P2.

It appears that it is difficult to simDlifv one,.representation without knowing the other one and

neither can be used efficiently without simplica-

tions. So we shall build at the same time and in

a consistent way the systems of restraints and

the frames of the polyhedra. Both representations

will be simultaneously used to represent the

assertions. Experience shows that this redundant

representation is much less expensive than the

frequent use of conversions.

4. TRANSFORMATIONOF LINEAR ASSERTIONS BY ELEMEN-TARY LANGUAGECONSTRUCTS.

Given the flowchart representation of programs

we now give for each type of program node a trans-

formation specifying the assertion associated with

the output arc[sl of the node in terms of the as-

sertions associated with the input arc(s) of the

node and where relevant the content of this node.

The conditions of Cousot[1977] guaranteeing the

correctness of these transformations apply to the

specific case analyzed here.

4,1. Program entry node.

In some cases [parameters of procedures] the re-

straints on the input variables may be known. In

this case they constitute the assertion associated

with the input arc. Otherwise the variables are

assumed not to be initialized so that they satisfy

no restraints. Hence the vector 0+ their values

may be any point of 113n where n is the number of

variables involved in the program analysis. Thecorresponding polyhedron is given by a system with

no restraints and equivalently by the frame con-

sisting in:

- The vertex which is the origin of IRn

- No ray

- The lines all,... dn such that for every i=l..n,

d~=l and d~=O,for j=l..n and jzi.

4,2. Assignment.

Let {A,B,S,R,O} be the representation of the

input assertion P corresponding to the polyhedron

AXSB the frame of which is S={Si : i=l. .d},

R={r, : j=l. .p}, O={d, : k=l ..6}. Then the rep-J ,,

resentation of the output assertion P’ after the

10assignment X :=EIXI is given by

loassign [P, x :=EIx]I = {A’,B’,s’,R’ ,01}.

4.2.1. Assignment of a non linear expression.

If the expression E[X] is not linear it is as-

10sumed that any value of lRcan be assigned to X .

10.=E(X] nothing isHence after the assignment X .

loknown about the value of X . Therefore X’” is

eliminated from the system of restraints AXSB by a

projection along the column 10 ($ 3.3.1.1]. For the

frame representation this consists in adding the

line d [such that d, =1 and di=O for every j=’1..n‘o .

different from l.] to the set of lines O. Then in

general the representation {A’,B’,S’,R’,0’} of P’

is not minimal and must be simplified (53.3.1.2

and $3.4.4].

Example: Let n=2 and P be the input assertion rep-

resented by the system of restraints:

( X1+X2 5

The frame representati~n is S={ (2,31,(4,11},

R={ [I,I),(I,O)}, D=O. The geometrical interpret-

ation is:

\OL e

5 xl

The output assertion P’ after the assignment

X2:= XI*X2 is {XI>O, X122}, the frame of which is

S’={ (2,3), [4,1)}, R’={[l,ll, [1,01}, O’={(O,l l}.

Simplifying we get {xI>Z}, S’={[2,3)}, R’={ [1,01},

0’={(0,11] that is:

xl

o

90

The approximation is obviously verysubstitution of XI*X2 for X2 in the

constraints would lead to:

I

X2 s X1+[X112

X2 ~ xl

X2 25X1-[X112

However the corresponding domain is

coarse since

input system

the

of

not a polyhedron

and this situation is hardly manageable:

X2 1“”””””””””’”””””””~~~,

Note however that the exact domain is covered by

the approximate domain (Cousot[1977]]. Also, a

more precise analysis is feasible. For example

{XI>O, and X2ZO} implies {XI*X2>O} or the assign-

mmt x := Y**2 implies that x is greater than orequal to zero.End of exmple.

4.2.2. Assignment of a linear expression

The assignment is of the form X 10:= Eni=l[aiXi)+b

where a is a n-row vector of integers or reals and

b is an integer or a real. The transformation con-

sists in an alteration of the basis of the space

TRn. The output assertion P’ is defined by the

frame {S’,R’ ,0’} computed as follows:

- S’={s;, ...,1

s:} where s; is defined by s! 0= asi+b1. 1

and S“=sl where l.’l..~ with 1=1i< 0“

- “={r;,..:,r;} where rj is the vector defined W

SIo= ~r, and r,l 1‘j ‘r. for 1=1..n and l*lO.

- D’={d;, .?.,d~}JJwhere d’

kis the vector defined

7 ,.

by d~’”. adk and d’~=d~ for 1=1..n and Izlo.

The system of restraints corresponding to P’ can be

obtained as the convex-hull of the frame {S’,R’,D’}.

However, following Karr[1976] this system of re-

straints can be computed directly.

4.2.2.1. Invertible assignments

The assignment is of the form X10

:= z!~=q(aiXi)+b

a 10*O. The fact that alO#O allows us to carry over

10our knowledge of the previous value of X to tha

10new value of X . To see this, denote the values

of the variables by X before and by X’ after the

invertible assignment statement. Then for 1=1..n

l=X1 whereas X’10

and 1Z1O we have X’ =aX+bC There-

fore X = MX’+K as defined by

XIO = (X’lO-Z ~=lO(alX’lO)-b]/a1“

Also {AXSB} is equivalent to {(MA]~’ < (B-AK)} which

leads to the output system of restraints satisfied

by X’.

4.2.2.2. Non-invertible assignments

~f alO=O then we cannot solve X’ in terms of X

so that some information is lost by the assignment.

Hence XIO is eliminated from the input restraints

by a projection operation. The case is similar to

the one of the assignment of a non-linear ex-

pression

adjoined

Example:

Let P be

10except that the restraint X = a)(+b is

to the resulting system.

the input assertion defined by

i *o 2 5 x

1

The assignment X2 :. xl+’l is not invertible. The

elimination of x2 in the input system of restraints

leads to {X122}straints is:

so that the output system of re-

[

X122

X2-X1 = 1

The assignment

Xl=x’l and x2 =

input system of

X2

3 /

~x

1

X2 : xl+xz/z+’l is invertible so that2X’2-2X’ 1-2. Substituting in the

restraints we get the output system:

3 ‘2

7

-3

4

2

End of example.

4.3. Test Nodes

Let P[A,B,S,R,D) be the assertion associatedX1=X” for l=[[l,n]-{lo})

91

with the input arc toboolean condition C.

Pf[Af,Bf,Sf,Rf,Dfl be

respectively with thetest. Obviously Pt=P

a decision node testing somE

Let Pt(At,Bt,St,Rt,Ot) and

the assertions associated

true and false exits of the

and C and Pf=P am! not(C1.

The condition C is said to be linear if and only if

i.t is of the form aXsb or aX=b where a is an

n-row-vector of integers or reals, X is the

n-column-vector of program variables and b is an

integer or a real.

4.3.1. Non-linear tests.

If C is not a linear condition we “ignore” thetest by putting Pt = Pf = P. This is certainly

valid, but it may not be as much information ascould be gathered. As for non linear assignments

specific studies can be made of how best to handle

test conditions which are not linear [for example

{Log[x]aO} implies {xzl}].

4.3.2. Linear equality tests.

When C is a linear condition let H be the

hyperplane {X=lRn : aX=b}.If C is of the form aX=b then either P is includedin H in which case P ‘P and P =0 or P is not in-t feluded in H in whicn case Pt=PnH and Pf=p. Note

that {AXSB and aXzb} is approximated by {AXSB]

since the domain {XeJRn : AXSB and aXzb} is not,

in general, a closed convex polyhedron.

The frame of PnH is found thanks to the fol-

lowing results:

1 - Each vertex s of PnH lies on an edge of P

2

3

according to one of the following alternatives:

1.1-1.2-

1.3-

1.4-

Each

2.1-

2.2-

2.3-

s is a vertex of P that belongs to H,

there are two adjacent vertices s] and S2

of P such that S.~Sl+(l–k)SZ where

A=(b-asZ)/(asl-asz) belongs to [0,1].

there are a vertex S1 and a ray rl of P

such that sl is adjacent to r] in P and

s=sl+~rl where V=(b-asl)/arl is positive.

there are a vertex sl and a line dl of P

such that s=sl+vdl where v=[blasll/adl.

extreme ray r of PnH is either

an extreme ray of P that belongs to H

or, a positive combination of two adjacent

extreme rays rl and r2 of P: r=rl+~rz

where ~. ~rl/ar2 must be positive.

or the sum of an extreme rav r, of P and a

vector linearly dependant of a line dl of

P, that is r=rI-(arl/adl)dl.

Finally a vector d is a line of PnH if and only

if there are two lines dl and dz in P such that

d=dl-(adl/ad2)d2.

4.3.3. Linear ‘inequality tests

If C is of the form aX<b then Pt=[P a?zi? aX<bl

whereas P =f

[P and aX2bl.[Note that the inequality

is not strict since Pf

must be a closed polyhedron

and that we can write aXzb+l for integers].

As above, the determination of the frames of Pt

and Pf makes use of a frame [S’,R’,0’I of the inter-

section PrIH of P with the hyperplane H={XclRn : aX=b}.

The set St of vertices of Pt is {s<S : as<b}uS’.

If St ‘is empty then Pt is the empty polyhedron

whereas Pf

equals P. Otherwise St is not empty and

THe set Rt of extreme rays of Pt is {reR : ar<O} u

{dcO : ad<O} u {-dcO : ad>O} u R’. The set of

lines Ot of Pt is O’. A symmetric reasoning is

used to determine a frame of Pf’

The resulting

frames [St,Rt,Ot) and [Sf,Rf,Of) are not necessarily

minimal and must be simplified [5 3.4.4).

Exarrp L?: Let P be an input assertion defined by

{(X227, X1+XZ25> XI-X22-11, S=~s]=(4,11, SZ=(2,31},

R ={rl=[l,O), rz=(l,l )}, 0=0}. Let Pt and Pf be

the output assertions associated respectively with

the true and false exits of a test on the condition

X1+622X2 (that is aXsb where a=(-1,2), b=6 and X

is the 2-column-vector [X1,X2) ). Let H be the hype~

plane defined by the equation XI+6=2X2. The geo-

metrical interpretation is the following:

//at:; ..... ...... ... . Pf

In order to determine a frame of P’nH, it is necess-

ary to know the adjacent elements of the frame of

P. [s1,sz], (sl,rl), (sz,rz), (rl,rzl are adja-

cent, The vertex s’ of H corresponds to the case

4.3.2.1.3, that is s’ = s2+((b-as2)/ar2)r2 = [4,s),

The extreme ray r’ of FnH corresponds to case

4.3.2.2.2 that is r’ = r~-(arl/arz)r2 = [2,1].

A frame of Pt is given by St={SI,S2,S’}, Rt={rl,r’},

ot=O. A frame of Pf is given by Sf={s’},

92

Rf={r2,r’}, Df=O.

End of exomph.

Incorporating the ray r=[l,Ol of P2 in A’XSB’ by

elimination of u in {P20, A’x–BA’rSB’} that is

{p20, x~-x~+~.sl, OSX,-~Sl, X2>IJ} we get the convex-

4.4. Simple junction nodes.

Simple junction nodes correspond for example to

the merge of the “then” and “else” paths in a con-

ditional statement. More generally let Pl, P~,#..C

Pp be the assertions associated with the input arcs

to the simple junction node and P the output as-

sertion:

PI P, P..*

Y

P

P

p [p 1 does nOt necess-Then the output assertion ORi=I i

arilyco -respond to a convex polyhedron so that it

must be approximated by the convex-hull P of Pl,

. . ..PP which is the least polyhedron containing

Pl, . . ..P .P

Since the convex-hull operation is associative we

can assume without lost of generality that there

are two input arcs [p=2). Given PI(AI,BI,SI,RI,OII

and P2[AZ,B2,S2,RZ,02] the frame of

P = eonvez-ku22[Pl,P2) is S=S1US2, R=RIuR2 and

O=O1(JOZ. The system of restraints AXSB describing

P is obtalhed’by the convex-hull of the frame

(S,R,O) which can be computed by successive approxi-

mations [$ 3.3.1.11. As soon as the system of re-

straints {/4XsB} of P is known the frame [S,R,D) of

P can be simplified (3.4.41.

Nctice that convex-kuZZ[P1,P21 cannot be com-

puted directly from the systems of restraints

AIXSBI and A2XSB2. In order to avoid a costlj

conversion ($ 3.41 the redundant frame represen-

tation has been kept along with the restraints

representation. For the output assertion P the

conversion from frame [S,R,OI to restraints AXSB

representation is lese expensive [$ 3.3). Since

the system of restraints of PI (or P2) is known.

This conversion is optimized as follows:

eonvez-hu22({SluSZ, RluR2, 01u02})

– convex ku2Z[convea-huZZ[{Sl,Rl ,01}), {S2,R2,DJI—

– eonveti-huZZIAIXsBl, {SZ,R2,D2})—

so that starting from AIX<BL we can successively

incorporate in the convex-hull the elements of the

frame of Pz.

Example:P1={(X120,X220,X1+X2<I

Rl=O,=O}

P2={(XI>I,X2=2), S2={[

, s]= [0,01,(1,0),(0,1)},

,2)}, R2={[I,01}, 0Z=F3}

The convex-hull of Pl (given by AIXSB] and the

vertex s=(I,Z) of Pz-is-obtained (53.3.1.11 by

elimination of 1 in {Oskl, AIX+l(AIS-Bl )SAlS}.

Eliminating A in {Oskl, x1+121, XZ+2A>2,

XI+XZ+2k<3} we get the approximation A’XSB! given by{x*-X]<l, osx~sl, X220}.

hull of Pl and Pz given by {OSXZS2, x120, x2-x1~’1}.

End of exantpZe.

4.5. Loop junction nodes.

Each cycle in the program graph contains a loop

junction node:

PI ‘2 P● .*

Y

P

P

The corresponding transformation

P = PVconoe@zuZZ(P l,P2, . . .,PD) is defined by the

widening operation V. Let QI”(A1,B, ,S1,R1,O1) and

CJY(A2,B2,S2,R2,02) be two convex polyhedra. Then

QI V Qz is the convex polyhedron consisting in thelinear restraints of QI verified by every element

of the frame [S2,R2,D2) of Qz.

Examp Ze:

Ql ={ (-X1+2X2<-2,X1+2X2S6,X2201 J

S={ [2,01, [6,0),(4,1)}, R=O, D=O}

Q2 = (-xI+2x2<-2,xI+2xz<10,x220) ,

s={ [2,0], [10,01, [6,21}, R=O, 0=0}

QiVQ2 = [-xl+2xzs-2, x220)

End of example.

In order to compute the frame of Q1VQ2 it is

necessary to convert from the linear restraint rep-

resentation . Lanery’s method [$ 3.4) is known to

be expensive. However when applied after a widening

operation the cost remains reasonable because of

the following arguments:- In the widening QIVQ2 of Q, by Q2 a certain num-

ber of vertices of Q1 have been replaced by extreme

rays. Hence the widening operation eliminates

vertices, so that QlVQ2 can be assumed to have a

small number of vertices. Now it is the discovery

of vertices which is the most costly in Lanery’s

method.

- A frame of Q1 is known and Q1 is included in

0~VQ2. Therefore the initialization of the simplex

method needs not to be used. Moreover since any re-straint of QIVQ2 is a reetraint of QI it is highly

probable that the frames of QI and QIVQZ have

numerous common elements.

The correctness criterion of Cousot[1977] re-

called at paragraph 2 is satisfied since QIgQlvQ2,

Q2sQ1VQ2 and for every chain CoqClg. ..g Cn G...

The chain SO=CO, S1=SOTIC1, . . ., Sn=Sn-lvcn’ ““”

not an infinite strictly increasing chain since

each step n the number of restraints describing

is finite and less than or equal to the number

of restraints describing Sri-l.

is

at

sn

93

The definition of the widening operation must be

a balance between compelling the convergence of the

global analysis of the program [by throwing away the

restraints that do not quickly stabilize in the pro-

gram cycles) and discovering as much information as

possible about the program. Hence it is wise not

to perform widening operations at loop junction

nodes before gathering the information along the

program cycles containing that loop junction node.

Also the definition of the widening which we have

given is a tentative one. The experimentations that

have been carried out seems to corroborate our

choice but further studies are necessary to give a

definite conclusion.

5. GLOBAL ANALYSIS OF PROGRAMS,

We illustrate the global analysis of programs on

the following ad-hoc skeletal program which is

simple enough to allow hand computations:

{Po}

1:=2; J:=O;

{PI}

L:

{P,}

~~ . . . then{P,}

1:=1+4;

{P,}else

{P,}J:=J+I; 1:=1+2;

{P,}f<;

{P,}

go to L;

The test involving some non-linear condition is not

taken into account. Each assertion P;, i=O.,7 is

initially the empty polyhedron 0 and the input

assertion is propagated through the program graph:

~1 . ~zo , S={ [0,0]}> R=O, 0={(1,0], (0,1)}

F’; = czssign(czss@n.(P;, 1:=21, J:=O)

= {I=2,J=O}, S={[2,01}, R=O, 0=0

P; = convex-huLZ(P~,P~) = convex-Fn4L2(P~,0) = P;

p; . p: = pl2

PI = assign (P:,I:’1+41~

= {I=6,J=0}, s={[6Jol}, R=O, D=O

P; = aSS2@2[ass@(P~,J:=J+l ),I:=I+z]

= {I=4,J=I}, s={ [4,1]}, R=O, 0=0

P; = convex-hu2L[p~,P~)

= {I+2J=6,4<I<6}, S={ [6,0), [4,1)},

J+ J+

R=O, 0=0

1( P; 1*L

P;

o 2 6 I o 2 6 I

P; =

2=P3

p: .

2_P6 -

2_P7 -

J

1

When

eonvea–huZZ(P~,P~)

[2J+2<I, I+2Js6,0<JI, S={ (2,0), [6,01, [4,1)]>

R=O, D=O

p: . p22

assign(P~,I:=I+4)

[2J+6sI,I+2Js10,0sJ), s={ (6,D), (10,0), (i3,1]},

R=O, 0=0

assign(assign[P;,J :=J+l 1>1:=1+2)

[2J+2<I,I+2J<I0,1sJ)> S={ [6,2), (8,1), [4,1)},

R=O, D=O

convex-hu22[P~,P~)

(2J+2SI, 6SI+2JSI0,0<J),

S={ (6,0], (10,0), (6,2), [4, l)}, R=D=@

...-

$

0 i 6 10 1

the loop body has been analyzed a widening

operation takes place at the loop junction node L:

P: = P: v convex–hu22[P~,P~)

We have p; = (2J+2SI, I+2JS6, OSJ) and

convex-huZL(P~,P~) = (2J+2sI, I+2JsI0, OSJ) with

S={(2,D), (10,0), (6,01}, R=O=O, so that I+2Js6

which is the only constraint of P; not verified by

every element of the frame of eonvez-huZZ(P~, P~l is

eliminated by the widening operation.

J

tconvex-huZZ(p~ ,p~l

/

P; =

~3 _3-

P~ =

.

P> =6

P; =

o 2 6 10 I

{2J+2sI,0sJ}, S={[2,0)j, R={[I,O), [2,1)}, 0=0

3=P3P5 ~

czssZgn(P~,I:=I+4)

{2J+6sI,0sJ}, s={(6,01}, R={ [1,0), [2,11}, 0=0

assign[assign[P~,J:=J+l ),1:=1+21

{2J+2<I,ISJ}, S={(4,1)), R={(I,O1, (2,1)}, 0=0

convex-hu2Z(P~,P~)

{2J+2sI,6<I+2J,0<J}, S={[6,0), (4,1)},

R={ (1,01,( 2,11}, 0=0 /. ,J’

/fl~ 1

P36

,,,.

.......... P3“l’” ., ,,, ~i,1 P;

!,11! !;’ \ I

94

Then conoez-&LZ(P~,P~) is included in P; so that

the program analysis has converged.

The final result shows up linear restraints among

the variables of the program that never appear ex-

plicitly in the program text and often escape the

notice of anyone studying this simple example:

{o} : no information

{1} : 1=2, J=O

{2},{3},{5} ; ZJ+ZSI, J>ll

{41 : ZJ+&I, J>O

{6} : ZJ+ZSI, J>’1

{7} : 2J+2SI, MI+ZJ, J>O

6. EXAMPLE.

On the next example (HEAPSORT, Knuth[’1973,p.148]]

it is not possible to trace the details of the

analysis so that we directly provide the results

produced by our experimental implementation:

procedure HEAPSORT(integer vaZue N;

real cz~ray[l. .N] T);

{1}{2}

{3}

{4}

{5}

{61

{7}

{8}

{9}

{lo}

{11}{12}

{13}

{14}

{15}

{16}

{17}{18}

{19}

{20}

y]

{23}

begin intage~ L,R,I,J; reaz K;

L:=(N &V2)+l; R:=N;

if [L221 then

L:=L-I; {K:=T[L];)

else

{K:=TIRI: TIRl:=-r[l];} R:=R-I;

fi;white [R>2) do

I:=L; J:=2*I;

7J72iZe [JSRI do

if [JsR-1) than

if {TIJI<TIJ+II} then J:=J+I .fi;,fi:

if {K?TIJI} thenez~t {of the inner loop} ~i;

{T III:=TIJ];} I:=J; J:=2*J;

od;{T II]:= K;}

if L22 thenL:=L-I; {K:=TILI;}

e T-se

{K:=TIRI; TIRI:=T III;} R:=R-I;

j’i;{T II]:=K;)

od;end;

The procedure is analyzed with the input speci-

fication N22 (see Knuth [1973], P.146). This analy-

sis does not take account of the statements involv-

ing operations on arrays, . these statements such as

{K:=T[L];}have been bracketed in the text of theprocedure. The result of the analysis (taking

about 20 seconds of C.P.U. time) is the following:

{1}

{2}

{3}

{5}

{8}

{’lo}

{11}

{12}, {13]

Nz2

N22, Ns2LSN+I R=NNz2, NSZL<N+I, R=N, L22

Nz2, N<2L<N+I, R=N, L<2

R22, 2L<N+’1, R+3sN, 2L+2R+Is3N, L>’l,

R<N

R22, 2L<N+I, R+3s2N, IsL, R<N, 21=J,

L<I, 21+6L+R+18<12N, JsR, 2L+2R+I<3N,41+2L+I<ZR+3N

Rz2, 2L<N+’1, R+3s2N, ‘l<L, RsN, 21=J,

L<I, 21+6L+R+18512N, J<R-l,ZL+2R+I<3N, 41+2L+I<2R+3N

R+3s2N, La’l, RsN, Js21+I, 21sJ, LsI,

{15}

{17}

{19}

{21}

J<R, ZL+ZR+153N

J+2<21+R, 2J+2L<41+N+I, R+3s2N, IsL,

R<N, 7J+6L+R+18<121+12N, 21<JS21+I,

LsI, ZL+ZR+IS3N, 8J+2L+Is121+2R+3N

{15}, L22

{15}, Ls2R~’1, 2L<N+’1 , R+4<2N, 2L+2R+3<3N, L21,

I=KN

Once the above invariant assertions have been

discovered it is very easy using projections

(3.3.1.1) to check statically that all array

accesses are correct. Notice that some relation-

ships among the variables of the procedure are not

obvious and cannot be discovered by hand whithout

deep understanding of the program.

7. NOTES ON THE EXPERIMENTAL IMPLEMENTATION<

We have produced an experimental implementation

written in PASCAL on the CII-IRIS 80 computer. The

length of the program is about 2500 lines.

The systems of equations and inequations have

been represented for simplicity by real matrices

and this sometimes results in a loss of precision.

It seems very difficult to write the program so

that this loss of precision is acceptable that is so

that the relationships which have been found corre-

spond to a domain including any value that each

real variable can take during any execution of the

analyzed program. However the main applications we

have in mind (such as array bound checking) deal

with integer variables. In this case the coef-

ficients of the linear restraints are rationals,

which can be represented as fractions [p/q where

p and q are integers). Then the operations which

are performed on these coefficients (+,-,x,/l are

more costly but introduce no loss of precision.

We have noticed that programs involving numericalconstants are better handled when these numerical

constants are replaced by the declaration of a sym-

bolic constant. It is often the case that the

convergence of the analysis is faster althought the

systems of restraints are bigger.

It seems to be very difficult to evaluate the

cost of the analysis of a program. The cost of the

analysis does not only depend on the length [number

of lines) of the program but mainly on the com-

plexity of the program graph [number of loops,

degree of loop combination, etc...). It seems thatthe cost of an analy~sis almost linear in the

length of the program but exponential in the number

of variables involved in the analysis. From thispoint of view nested static scopes (such as ALGOL

68 blocks which authorizes very local declarations

or better EUCLIO with its import mechanism] is

useful since for example th=ables of an outer

block can often be analyzed independently of the

variables of the inner blocks whereas the vari-

ableof be inner block can often be analyzed using

only few global variables. In general it can be

taken advantage of the scope rules of the usual

languages.

We have deliberately taken the point of view notto take account of the legalitv restraints which

must

gram

take

that

95

hold on the variables. F~r example if a pro-

variable is used as an array index

~ccount of the fact that we should

the value of this variable must be

which do not

try to show

within the

array bounds. Taking account of such facts we

could propagate this information backward to the

loop junction nodes so that we would have a guide-

line for the widening operation. This would enable

us to combine the discovery and verification ap-

proaches.

Acknowledgements. We thank Radhia COUSOT for

helpful discussions on linear programming and

Mrs H.DIAZ for typing the manuscript.

8. REFERENCES

M.L.BALINSKI, An algorithm for finding all ve~tieesof convex po2.yhedra2 sets, J. Sot. Indust. APP1.

Mathem., 9, [March 1961]

A.CHARNES, W.W.COOPER and A.HENDERSON, An Introduc-tion to Linear Programing, J.Wiley, New-York,

[1953]

P.COUSOT and R.COUSOT, Static determination ofdynamic properties of@ograms, 2nd Int. Sym-

posium on Programming, B.Robinet(Ed.), Ounod,

Paris, [1976]

P.COUSOT and R.COUSOT, Abstracts interpretation: aunified lattice model for static analysis ofprograms by construction or approximation o-ffixpoints, Conf. Record of the 4th ACM Symposium

on Principles of Programming Languages,

[Jan.1977]

N.E.DYER and L.G.PROLL, An azgorithm for determinzkgall extreme points of a convex polytope,Mathematical Programming, 12, [1977]

M.KARR, Affine relationships among uariab2es of aprogram, Acts Informatica, 6, [197’61

V,KLEE, Some eha~actemkations of convex polyheha,Acts Mathematical, 102, [1959]

V.KLEE, On the number of vertices of a convexpo2ytope, Canadian J. of Mathematics, 16,[ 1964]

O.E.KNUTH, The art of computer programming, VOI.3,

Sorting and Searching, Addison-Wensley Pub.Co.,

Reading, Mass, [1973]

H.W.KUHN, Solvability and consistency for 2inearequations and inequalities, Amer. Math. Monthly,

63, [1956]

E.LANERY, Recherche d’un systdme g&&ateur minima2d’un po2y7?edre conoexe, Thbse de 3bme cycle, Caen,

France, [1966]

M.MANAS and J.NEOOMA, Finding a~~ vertices of aconvex po2yhedvon, Numerische Mathematik, 12,

[1968]

T.H.MATTHEIS, An algorithm for determining irreZ–evant constraints and alZ vertices in systems oaf2inear inequalities, Operations Research, 21,

[19731

M.SIMONNARO, Progrmation Lin6aire, Ounod, paris.

[1973]

N.SUZUKI and K.ISHIHATA, Implementation of an arraybound checker, Conf. Record of the 4th ACM

Symposium on Principles of programming languages,

[Jan.1977]

B.WEGBREIT, Property extraction in well foundedprope~ty sets, IEEE Trans. on Soft. Eng., vol.

SE-I, n03, [Sept.1975]

H.WEYL, The elementary theory of convex po2yhed~a,Annals of Math. Study, 24, [1950]

T.L.SAATY, The number of vertices of a polyhedron,Amer. Math. Monthly, 62, [1955]

96