Proceedings of the Eighth Symposium on Abstraction, Reformulation, and Approximation (SARA2009) Tightened Transitive Closure of Integer Addition Constraints Peter Revesz Department of Computer Science and Engineering University of Nebraska-Lincoln [email protected] Abstract above constraints can be used as an abstract domain, called the octagon abstract domain, and the program semantics can We present algorithms for testing the satisfiability and find- be abstracted in terms of a disjunctive normal form formula ing the tightened transitive closure of conjunctions of addi- tion constraints of the form ±x ± y ≤ d and bound con- of the above constraints. This new abstract domain is more straints of the form ±x ≤ d where x and y are integer vari- precise than intervals (Cousot and Cousot 1976) but simpler ables and d is an integer constrant. The running time of these than polyhedra (Cousot and Halbwachs 1978). algorithms is a cubic polynomial in the number of input con- Addition constraints include difference constraints of the straints. We also describe an efficient matrix representation form x − y ≤ d. Since difference constraints play an of addition and bound constraints. The matrix representation important role in software verification (Alur et al. 1995; provides a easy, algebraic implementation of the satisfiability Clarke 1999; McMillan 1993), it is an interesting question and tightened transitive closure algorithms. We also outline whether addition constraints will also prove beneficial for the use of these algorithms for the improved implementation software verification. It is well-known that difference con- of abstract interpretation methods based on the octagonal ab- stract domain. straints can be represented by Difference-Bound Matrices or DBMs, which allow the definition of many efficient opera- tions on them when the variables range over either the ratio- nal numbers or the integers. 1. Introduction An abstract interpretation of Datalog queries with bound and difference constraints is implemented in the MLPQ con- Many problems can be described by constraints of the form: straint database system (Revesz et al. 2000), based on ear- lier constraint database concepts (Kanellakis et al. 1995, Addition : ±x ± y ≤ d Revesz 1993). Using this abstract interpretation, the MLPQ system can be transformed into a software verification Bound : ±x ≤ d system of both logic programs and procedural programs x y d (Delzanno and Podelski 1999; Fribourg and Olsen´ 1997; where , are rational or integer variables, and is a con- Fribourg and Richardson 1996; Revesz 2007). The MLPQ stant (Revesz 2002). Addition constraints are also called system also allows checking whether a given error condition unit two variables per inequality (UTVPI) constraints, and and the under-approximation of the program semantics in- bound constraints are also called single variable per in- tersect, thereby proving that certain errors can occur during equality (SVPI) constraints (Jaffar et al. 1994). program executions (Anderson and Revesz 2005). One recent application of these constraints is in the The applicability of the octagon abstract domain will de- abstract interpretation of programs. Abstract interpreta- pend largely on whether similarly efficient operators can be tion derives either an over-approximation or an under- defined on it. There are currently some promising results for approximation of the collection semantics of a program rational numbers. (Mine´ 2001) shows that testing the sat- (Cousot and Cousot 1976). (Mine´ 2001) pointed out that the isfiability of addition and bound constraints over n rational 3 Copyright c 2009, Association for the Advancement of Artificial variables can be done in O(n ) time. However, (Mine´ 2001) Intelligence (www.aaai.org). All rights reserved. conjectures the satisfiability problem to be O(n4) with inte- 136 ger variables. a dummy variable, we write every bound constraint as an Currently the best tightened transitive closure algorithm addition constraint. Due to the deletion of trivially implied with n integer variables and m input constraints requires constraints, for each a, b ∈{−1, 1} combination and dis- 2 O(mn ) time (Harvey and Stuckey 1997). This algorithm tinct variables xi and xj, we can have only one constraint of also returns “unsatisfiable” if the input constraints have no the form axi + bxj ≤ d. 2 integer solution. Since with n integer variables m is O(n ), We also rewrite every −xi + xj ≤ d into xj − xi ≤ d, 4 this algorithm runs in O(n ) time in the worst case. every xi + xj ≤ d where i>jinto xj + xi ≤ d, and (Peron´ and Halbwachs 2007) recently discovered another every −xi −xj ≤ d where i>jinto −xj −xi ≤ d. We use interesting difference between the case of rational and inte- matrix M+− to represent constraints when a =1,b= −1, ger variables. They show that conjunctions of rational dif- matrix M++ to represent constraints when a = b =1, and ference constraints and disequality constraints of the form matrix M−− to represent constraints when a = b = −1,as x = y still allow satisfiability testing in O(n3) time. This follows: is surprising because with integer variables the same prob- d if (xi − xj ≤ d) ∈ C lem is known to be NP-complete by a reduction of the graph M+−[i, j]= +∞ otherwise 3-colorability problem (Rosenkrantz and Hunt 1980). The result of (Peron´ and Halbwachs 2007) suggested the possibility that for conjunctions of bound and addition con- d if (xi + xj ≤ d) ∈ C M++[i, j]= straints too the basic operators will be harder with integer +∞ otherwise variables than with rational variables. In spite of the ear- lier conjectures and suggestions, in this paper we present 3 an O(n ) satisfiability testing algorithm with integer vari- d if (−xi − xj ≤ d) ∈ C M−−[i, j]= ables. We also present an O(n3 log n) algorithm that finds +∞ otherwise the tightened transitive closure for conjunctions of integer addition and bound constraints. The above is a particularly efficient and convenient rep- M The rest of this paper is organized as follows. Section 2 resentation of addition and bound constraints because ++ M gives a brief review of the basic concepts and previous work. and −− are upper triangular matrices and do not need the Section 3 presents a variable elimination algorithm and a variable 0. satisfiability testing algorithm, which is based on succes- Example 1 Consider the following conjunction of addition sive variable elimination. Section 4 presents a tightened and bound constraints over the variables x and y: transitive closure algorithm for conjunctions of addition and bound constraints. Finally, Section 5 discusses some related −x ≤−25,y≤ 3,x−y ≤ 4,x+y ≤ 10, −x−y ≤−40 and future work. This set of addition and bound constraints can be represented by the following three matrices. 2. Basic Concepts M+− 0 xy 2.1 Addition-Bound Matrices 0 +∞−25 +∞ x +∞ 4+∞ Several researchers developed Addition-Bound Matrices or y 3+∞ +∞ ABMs to represent conjunctions of addition and bound con- straints in analogy to the well-known Difference-Bound Ma- M++ trices or DBMs that represent conjunctions of bound and xy difference constraints. x (Mine´ 2001) represents a conjunction of addition and 10 y bound constraints over variables V = {x1,...,xn} by a + conjunction of difference constraints over variables V = M−− + − + − {x1 ,x1 ,...,xn ,xn }, that is, every variable has a positive + − xy form x equivalent to xi and a negative form x equivalent i i x − to −xi. While this representation takes advantage of already 40 well-developed DBM algorithms, in this paper we prefer a y simple three-matrices representation. We say that an addition constraint ax + by ≤ d (or bound constraint ax ≤ d) trivially implies another addition con- This representation is useful to check whether we have straint ax+by ≤ d (respectively, bound constraint ax ≤ d) a constraint of a certain form and to avoid trivially implied if d<d. We always simplify the given addition and bound constraints in our representation. In the following we as- constraints by deleting those constraints that are trivially im- sume that when we add a new constraint axi + bxj ≤ d to plied by other given constraints. matrix Mab, then we overwrite Mab[i, j] with d if its cur- We allow 0 to be a special variable, denoted as x0, and rent value is greater than d. We also assume that initially all we number the other variables as x1,...,xn. Using x0 as entries are +∞. 137 For simplicity we will not always use the above repre- and B is the union of constraints generated by the rules: sentation in describing our algorithms when the representa- by ≤ d + d −ax ≤ d tion is not needed. However, it is easy to translate our al- if gorithms into one that uses the above matrix representation even though we prefer to describe some of the algorithmic ax ≤ d + d if −by ≤ d ideas using graphs. The translation from graphs to matrices is the basis of efficient, algebraic computer implementations. ez ≤ d + d + d if −ax ≤ d , −by + ez ≤ d,z = x 2.2 Harvey-Stuckey Tightened Transitive Closure ±x±y ≤ d ±x ≤ d If is an addition constraint, or is a bound constraint, where d is a rational number, then ±x ± y ≤d ez ≤ d + d + d if −by ≤ d , and ±x ≤d are tightened addition and bound constraints. −ax + ez ≤ d,z = y x ≤ / For example, 3 2 can be tightened to the constraint — x ≤ 1. Tightening is a valid operation in the case of in- d + d by ≤ −ax + by ≤ d teger variables because the tightened constraint always has 2 if the same solutions as the untightened constraint. In the fol- — lowing we always try to keep the constraints in a tightened d + d ax ≤ if ax − by ≤ d form. 2 C — The tightened transitive closure of a set of addition and d + d + d bound constraints is the set of addition and bound constraints ez ≤ if −ax + ez ≤ d , C∗ that C implies, such that, we cannot derive any more 2 addition and bound constraints which are not already in C∗ −by + ez ≤ d or trivially implied by one constraint in C∗.