APRON Library - Octagon Domain Implementation

Table of Contents

1. Introduction
2. Installation
3. Access to the Library from C and C++
4. Underlying Numeric Set
5. Precision of the Transfer Functions
6. Precision of the Predicates
7. The algorithm parameter
8. Widenings and Narrowing
9. Additional Transfer Functions
10. Unimplemented Features
11. Conversion with Polyhedra
12. Tools
13. Low-level Access
14. Access to the Library from OCaml
15. Links
16. Contact

Introduction

The APRON project provides a common interface for various numerical abstract domains with various expressiveness and cost versus precision trade-offs. This document describes the octagon domain implementation available within APRON. The octagon domain allows manipulating and representing conjunctions of invariants of the form ±x ±y ≤ c, where x and y range among a finite set of numerical program variables. In two dimensions, such invariants have an octagonal shape, hence the name.

Familiarity is assumed with the generic APRON framework as well as the octagon abstract domain (see external links).

Installation

Please see the README file included in the distribution for installation instructions.

Access to the Library from C and C++

Your C or C++ program must be linked with the following libraries:

• the octagon library -loctX (where X denotes the chosen numeric set; MPQ for instance);
• the APRON library -lapron;
• the GMP library -lgmp;
• the MPFR library -lmpfr;
• the standard mathematical library -lm.

The standard way to access to the octagon library is through an APRON manager. The manager is created as follows:

• include the oct.h file,
• create an octagon manager ap_manager_t* man = oct_manager_alloc();

Note that, when using a floating-point implementation of the octagon library, creating a manager will automatically put the floating-point unit into rounding towards +oo mode (using ap_fpu_init provided by APRON), as it is required to ensure the soundness of the transfer functions. Beware that this setting is global: it affects all the computations of the process, not only those occurring in the octagon library.

Underlying Numeric Set

The octagon library is compiled with a variety of underlying numeric set, distinguished using a suffix:

• I: integers with a plain "long int" representation;
• Ill: integers with a "long long int" representation;
• MPZ: arbitrary precision integers using GMP;
• Rl: rationals with a "long int" representation;
• Rll: rationals with a "long long int" representation;
• MPQ: arbitrary precision rationals using GMP;
• D: reals with a "double" representation;
• Dl: reals with a "long double" representation.

The choice of this numeric set affects the soundness, precision, and efficiency of the analysis:

• int and long types are subject to overflows, which may result in unsound results (no overflow checking is performed for efficiency reasons),
• double and long double types are subject to rounding, which may result in some loss of precision; rounding is always performed towards +oo, which ensures soundness;
• abstract transfer functions are inherently incomplete in Z, which results in some loss of precision;
• constraints on reals are soundly approximated when using numbers in Z,
• GMP types are much slower than native types.

Note that the underlying numeric set chosen for octagons is not related to the choice of double or GMP for ap_scalar_t types used as arguments in transfer functions. Type mismatches may result in extra over-approximation (but always in a sound way).

Precision of the Transfer Functions

Exact transfer functions are provided for the class of operations that are closed under octagons. These include:

• conjunctions with or conversions from constraints of the form ±x ±y ≤ c or ±x ≤ c,
• (possibly parallel) assignments and substitutions of expressions of the form ±x + [a,b] or [a,b],
• meets (i.e., intersections) of octagons,
• getting the bound of a dimension or an expression of the form ±x ±y + [a,b], ±x + [a,b], or [a,b],
• conversions to constraint sets,
• conversions from boxes,
• variable additions, deletions, projections, permutations, and expansions,
• topological closures (always identity),
• serializations and de-serializations.

Best transfer functions are provided in the following cases:

• join (i.e., union) of octagons,
• addition of rays,
• conversions from generator sets,
• conversions to boxes,
• variable folding.

The following transfer functions use some approximate polynomial algorithms and have no precision guarantees:

• conversions from or conjunctions with arbitrary constraints (a weakly relational approximation is used),
• (possibly parallel) assignments and substitutions of arbitrary expressions (a weakly relational approximation is used),
• conversions to generator sets (the whole universe is always returned),
• getting the bound of arbitrary expressions (interval arithmetics is used).

Additionally, the exactness or best-precision feature of an abstract transfer function is often lost when the MPQ underlying numeric set is not used, or the arguments have integer dimensions, or the user sets the algorithm parameter to a strictly negative value. Finally, the exactness or best-precision feature can be lost due to conversion between the underlying numeric type and user-provided ap_scalar_t types. The octagon library will set the flag_exact and flag_best manager flags accordingly in all cases.

Note that, due to interval coefficients, expressions may be non-deterministic, that is, correspond to a bunch of expressions. In case of assignments, substitutions, or bound determinations of non-deterministic expressions, or conjunctions with non-deterministic constraints, we considers the join of all results, when ranging over the non-deterministic set.

Precision of the Predicates

The following predicates are exact, i.e., they always return either tbool_true or tbool_false (provided that algorithm is greater than or equal to 0, that the octagon has no integer dimension, and that the MPQ underlying domain is selected):

• testing for inclusion, equality, emptiness, or universality,
• testing whether a dimension is unbounded or saturated by a given interval,
• testing for saturation by an expression of the form ±x ±y + [a,b], ±x + [a,b], or [a,b].

Note that, for non-deterministic expressions, tbool_false is returned as long as the saturation is not satisfied for at least one expression.

Testing for the saturation by an arbitrary expression is very imprecise. It always return tbool_top.

When algorithm is set to a strictly negative value, the octagon has an integer dimension, the MPQ underlying domain is selected, or the conversion from user-specified ap_scalar_t types to internal types resulted in an over-approximation, the predicate is sound but not exact: it is a semi-test. That is, it mainly returns either tbool_true or tbool_top. It can conclude that the predicate is definitively tbool_false only in very rare cases. The octagon library will set the flag_exact and flag_best manager flags accordingly in all cases.

The algorithm parameter

The algorithm field in the manager provides an implementation-specific parameter to set the required level of precision for transfer functions.

In the octagon domain, only two precision levels are recognised. They correspond to (with the exception of the widening):

• algorithm ≥ 0 is the normal precision: a transitive closure algorithm is used pervasively to achieve best precision transfer functions and results in transfer functions that have a cubic worst-case cost (in the number of variables),
• algorithm < 0 is the low precision: the transitive closure algorithm is not used, the best precision feature is not guaranteed, and transfer functions have a quadratic worst-case cost (many actually have a linear cost).

Widenings and Narrowing

Depending on the algorithm flag, one of the following widening algorithm is used:

• algorithm = 0: the right argument is closed, the standard widening is used: unstable constraints are forgotten. Thus, it converges in a quadratic number of steps, at worse.
• algorithm < 0: the standard widening algorithm is used but the right argument is not closed.
• algorithm = oct_pre_widening: this special value corresponds to a pre-widening. It does not enforce the convergence by itself but can be safely intermixed with a regular widening to improve the precision of the sequence, without jeopardizing the overall convergence. As long as a regular widening is applied infinitely often, the sequence will converge in finite time. (Note that intermixing a regular widening with a join operator will result in a diverging sequence. Thus, the join is not a pre-widening. Our pre-widening is actually a join without the closure application.) Use with care!

The ap_abstract0_oct_widening_thresholds provides a widening with scalar thresholds. For each constraint of the form ±x ±y ≤ c or ±x ≤ c where the bound c is not stable, the widening replaces c with the scalar immediately greater in the user-supplied list, or +oo if it is greater than the greatest supplied scalar. The list must be sorted in strictly increasing order. (Note that this operator is not exactly the same as the generic ap_abstract0_widening_threshold function which is synthesized from ap_abstract0_sat_lincons and ap_abstract0_meet_lincons_array.)

The ap_abstract0_oct_narrowing function implements the standard narrowing: it refines only those constraints that have no finite bound. Thus, it converges in a quadratic number of steps, at worse.

Additional Transfer Functions

The octagon library provides a few functions not generic enough to be included in the APRON library. They share the ap_abstract0_oct_ prefix.

Additionally to the widening with thresholds and narrowing functions described in the preceding section, the octagon domain provides the following extra function:

• ap_abstract0_oct_of_generator_array converts a generator set to an octagon, with best-precision.
• ap_abstract0_oct_add_epsilon enlarges each constraint bound by a user-specified factor of the maximum finite bound present in the octagon.

Unimplemented Features

The following are not implemented and will raise an exception:

• all the functions related to minimal and canonical forms,
• ap_abstract0_approximate.

Conversion with Polyhedra

In order to ensure the best precision, the following conversion procedures are recommended:

• To convert a polyhedron to an octagon, call ap_abstract0_to_generator_array on the polyhedra and then ap_abstract0_oct_of_generator_array on the result.
• To convert an octagon to a polyhedron, call ap_abstract0_to_lincons_array on the octagon and then ap_abstract0_of_lincons_array on the result.

Do not extract the generators of an octagon or build an octagon from arbitrary linear constraints as these are not best-precision operators.

Tools

The distribution provides a fully automatic test suite with octtest. It compares the result of all transfer functions in the octagon and polyhedron domains, checking for soundness, best-precision and exactness properties.

Low-level Access

The file oct/oct_fun.h provides a direct access to all the octagon functions, without the abstraction provided by the manager. Note that these functions perform less sanity checks, and so, may not be as safe. Wrapping and unwrapping a oct_t* pointer within a generic ap_abstract0_t* is done using the abstract0_of_oct and oct_of_abstract0 functions.

The file oct/oct_internal.h must be included to access to the low-level representation of octagons struct oct_t and manager-specific data struct _oct_internal_t. Direct access to private fields is not recommended.

Access to the Library from OCaml

Your OCaml program must be linked with the following modules, in order:

• the GMP OCaml wrapper: gmp.cmxa (or gmp.cma for byte-code);
• the APRON OCaml wrapper: apron.cmxa (or apron.cma for byte-code);
• the octagon OCaml wrapper: oct.cmxa (or oct.cma for byte-code);
• the C octagon library for the chosen numerical type, e.g., -cclib -loctMPQ;
• the C apron library: -cclib -lapron.

Examples:

• ocamlc -I $HOME/lib gmp.cma apron.cma oct.cma mltest.ml -cclib -loctMPQ -cclib -lapron
• ocamlopt -I $HOME/lib gmp.cmxa apron.cmxa oct.cmxa mltest.ml -cclib -loctMPQ -cclib -lapron

The octagon library provides an Oct OCaml module There is no numeric suffix here: the OCaml wrapper is independent from the chosen numerical type. The Oct.manager_alloc function returns a new manager that can then be used with the standard Apron.Abstract0 module provided by APRON.

The Oct module also provides some implementation-specific functions:

• of_generator_array to convert from a set of generators to an octagon, with best abstraction,
• the widening_thresholds widening,
• the narrowing standard narrowing,
• the add_epsilon perturbation function.

Links

APRON

• Web-page for the APRON project.

The octagon abstract domain:

• Main journal article describing the octagon domain: The Octagon Abstract Domain in Higher-Order and Symbolic Computation, 2006.
• The Ph.D. Thesis that gave rise to the octagon domain.
• Former implementation the APRON implementation is based on.

Contact