Ph.D Thesis, Constrained Affine Setskhalilghorbal.info › assets › pdf › papers › thesis-KG.pdf · Zalila, Mehdi Frikha, Taouﬁk Hnia, Ala Ben Abbes, Mohamed Chakroun

THESEpresentee a

l’ECOLE POLYTECHNIQUE

pour l’obtention du titre de

DOCTEUR DE L’ECOLE POLYTECHNIQUESpecialite Informatique

par

Khalil GHORBAL

28 Juillet 2011

Analyse Statique de Programmes Numeriques:Ensembles A�nes Contraints

Static Analysis of Numerical Programs: Constrained A�ne Sets AbstractDomain

President du jury:Stephane Gaubert, Professeur, INRIA et Ecole Polytechnique, Saclay.

Rapporteurs:Jean-Luc Lamotte, Professeur, Universite Pierre et Marie Curie, Paris.Sriram Sankaranarayanan, Assistant Professor, University ofColorado Boulder, Colorado.Thao Dang, Verimag CNRS, Grenoble.

Examinateurs:Bertrand Jeannet, INRIA Rhone-Alpes, Montbonnot.Antoine Mine, Ecole Normale Superieur, Paris.

Directeurs de these:Eric Goubault, Professeur, CEA List et Ecole Polytechnique, Saclay.Sylvie Putot, CEA List, Gif-sur-Yvette.

Ecole PolytechniqueDepartement d’Informatique

To my dear parents ⌦ Æ¢À and – AÓDÖ.

. ⇣È“£ A Ø ⌦⇣Ê J⌦ g ˙Õ @�

i

Abstract

We aim at proving automatically the correctness of numerical behavior of

a program by inferring invariants on numerical variables. More precisely, we

over-approximate in a sound manner the set of reached values. We use Abstract

Interpretation-based Static Analysis as a generic framework to define and ap-

proximate the semantics of a program in a unified manner. The semantics that

describe the real behavior of the program (concrete semantics) is in general unde-

cidable. Abstract interpretation o↵ers a way to abstract this concrete semantics

to obtain a decidable semantics involving machine-expressible objects. We in-

troduce a new a�ne forms-based abstract domain, called constrained a�ne sets,which extends and generalizes an already existing abstract domain introduced

by Eric Goubault and Sylvie Putot. The expressiveness of such new domain is

enhanced thanks to its ability to encode and propagate linear constraints among

variables. We have implemented our new domain to experiment the precision and

the e�ciency of our approach and compare our results to the already existing

abstract domains. The theoretical work as well as the implementation and the

experiments have been the subject of two publications [CAV 2009, CAV 2010].

Resume

Nous nous placons dans le cadre de l’analyse statique de programmes, et nous

nous interessons aux proprietes numeriques, c’est a dire celles qui concernent les

valeurs numeriques des variables de programmes. Nous essayons en particulier

de determiner une sur-approximation garantie de l’ensemble de valeurs possibles

pour chaque variable numerique utilisee dans le programme a analyser. Cette

analyse statique est faite dans le cadre de la theorie de l’interpretation abstraite,

theorie presentant un compromis entre les limites theoriques d’indecidabilite et

de calculabilite et la precision des resultats obtenus. Nous sommes partis des

travaux d’Eric Goubault et Sylvie Putot, que nous avons etendus et generalises.

Notre nouveau domaine abstrait, appele ensembles a�nes contraints, combine a

la fois l’e�cacite de calcul des domaines a base de formes a�nes et le pouvoir ex-

pressif des domaines relationnels classiques tels que les octogones ou les polyedres.

Le nouveau domaine a ete implemente pour mettre en evidence l’interet de cette

combinaison, ses avantages, ses performances et ses limites par rapport aux autres

domaines numeriques deja existants. Le formalisme ainsi que les resultats pra-

tiques ont fait l’objet de plusieurs publications [CAV 2009, CAV 2010].

ii

Remerciements

C’est a mes tres chers parents que je dedie tout ce travail. Je vous suiset serai toujours reconnaissant • A ma complice, amie et compagne FatmaSafi, mon vocabulaire trouve ses limites en voulant te dire merci • Mercichers Stephane Gaubert, Jean-Luc Lamotte, Thao Dang, Sriram Sankara-narayanan, Antoine Mine et Bertrand Jeannet, j’etais honore par vous avoirdans mon jury. Merci pour votre temps, merci pour vos commentaires, celaa sans nul doute contribue a ameliorer la qualite de ce travail • Un grandmerci a mes deux directeurs de these Sylvie Putot et Eric Goubault. Onne peut-etre plus gate: pedagogie, rigueur, minutie, et fine intelligence, letout avec le sourire et la bonne humeur. Sans oublier l’enorme quantite dechocolat que j’ai avale durant ma these ainsi que l’initiation a l’escalade,La vie au bout des doigts et Opera vertical faisaient partie de la bibliogra-phie. Je garderai de tres agreables souvenirs, merci du fond du coeur •

Merci Assale Adje, j’ai vraiment aime ta facon de voir les maths. J’ai eula chance d’avoir Karim Tekkal a l’autre bout de l’open space. Ce fut tresagreable de travailler avec toi, merci pour ton bon vivant. Merci XavierAllamigeon, Olivier Bouissou et Alexandre Chapoutot, les moins jeunesthesards, desormais docteurs confirmes. Xavier, ton interet et tes questionsm’ont permis de mieux cerner mon sujet. Merci Olivier pour tes explica-tions et tes exposes, cela m’a beaucoup aide. Merci Alexandre pour ton aideprecieuse, tu avais toujours une solution simple a tout • Merci EmmanuelHaucourt pour le temps que tu m’avais consacre, tu as ce don de rendre ac-cessible les notions les plus complexes. J’en profite pour remercier SanjeeviKrishnan, qui etait de passage au LMeASI, et qui m’a initie a la topologiealgebrique. Merci Michel Hirschowitz, je me rappellerai toujours de noslongues et riches discussions metaphysiques. Merci pour ton humour et tonsens critique. Je ne manquerai pas finalement de remercier Franck Vedrine,l’e�cacite tranquille. Ce fut vraiment tres agreable de travailler avec toi •Sans les encouragements et le soutient de mes amis et camarades, et toutema famille ce travail n’aurait peut-etre pas pu etre accompli. Merci BechirZalila, Mehdi Frikha, Taoufik Hnia, Ala Ben Abbes, Mohamed Chakrounpour m’avoir toujours pousser a aller de l’avant. Je remercie aussi mesfreres et soeur Youssef, Hamza et Sarra et toute ma belle famille, j’espereetre a la hauteur de vos esperances • Un enorme merci a Fatma et HasnaSafi pour vos multiples relectures detaillees de ce manuscrit, cela a reduitconsiderablement les typos commises • Je remercie mon voisin et ami SayedMojabi, on a passe d’inoubliables annees a Bures-Sur-Yvette • Je remer-cie finalement Audrey Lemarechal, Christine Ferret, et toute l’equipe del’EDX. Vous faites un excellent travail.

ß ß ß

iii

iv

Contents

Contents v

1 Introduction 1

2 Context and Motivations 32.1 Proving Numerical Properties . . . . . . . . . . . . . . . . . 32.2 Abstract Interpretation . . . . . . . . . . . . . . . . . . . . . 62.3 Fluctuat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.4 The ATV Case Study . . . . . . . . . . . . . . . . . . . . . . 13

3 Numerical Abstract Domains 173.1 Non Relational Abstract Domain . . . . . . . . . . . . . . . 193.2 Explicit Relational Abstract Domains . . . . . . . . . . . . . 233.3 Implicit Relational Abstract Domains . . . . . . . . . . . . . 263.4 Combining Abstract Domains . . . . . . . . . . . . . . . . . 40

4 Constrained A�ne Sets 434.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 434.2 Constrained A�ne Sets . . . . . . . . . . . . . . . . . . . . . 454.3 Special Case: Non Relational Constraints . . . . . . . . . . . 51

5 Assignment and Interpretation of Tests 615.1 Abstract Assignment . . . . . . . . . . . . . . . . . . . . . . 615.2 Interpretation of Tests . . . . . . . . . . . . . . . . . . . . . 705.3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . 76

6 Join over Constrained A�ne Sets 776.1 General Procedure . . . . . . . . . . . . . . . . . . . . . . . 786.2 Join over Constrained A�ne Forms . . . . . . . . . . . . . . 796.3 Join over Constrained A�ne Sets . . . . . . . . . . . . . . . 114

7 Implementation and Experiments 119

v

Contents

7.1 Abstract Computations Using Floating-point Numbers . . . 1197.2 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . 1317.3 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

8 Conclusion 141

A The Support Function 143

B Lengthy Proofs 147B.1 Lemma 6.2.18: Fenchel Conjugate of L� . . . . . . . . . . . 147B.2 Theorem 6.2.20: Saddle-Point Characterization . . . . . . . 148

Bibliography 153

vi

CHAPTER 1Introduction

Ce qui importe, ce n’est pas d’arriver, mais d’aller vers.Antoine de Saint-Exupery

A huge e↵ort has been done during the last three decades in an attemptto ensure the correctness of software behavior while adding a reasonableoverhead to the time-to-market of software dependant products. Nowadays,more than ever, such a goal is still one of the biggest challenges facingthe computer science community. It is amazing to notice the importanceand the impact of software in our everyday life. Cellphones, cars, planes,appliances, medias, networks, telecommunications, databases, power plants,factories ... software are everywhere, include a variety of heterogeneousservices and monitor many critical and life dependant applications.

We focus on critical embedded control command software used for in-stance in airplanes or spacecrafts. This work is in line with the use of formalverification techniques to prove the correctness of a software with respect toits specification. We use the static analysis by abstract interpretation as ageneral theoretical framework. Static analysis means that we do not run thesoftware under analysis (in contrast with dynamic methods, as tests for in-stance). Instead, the semantics of the program is extracted from the sourcecode, then approximated in a sound manner by a (decidable) abstract se-mantics. The latter abstract semantics allows to synthesize invariants thatthe variables always verify. The level of abstraction reflects the expres-siveness of the analysis and hence, the precision of the inferred invariants.Usually, a precise analysis is expensive in time, whereas cheap analysis givesimprecise results. Therefore, the main e↵ort in the field consists in lookingfor a good precision-cost trade-o↵s.

1

1. Introduction

Our main contributions are :

• The definition and formalization of a new precise and e�cient abstractdomain, that is a way to represent and compute e�ciently the set ofreached values of all numerical variables of the analyzed program.

• The improvement of the set-theoretic operations and mainly the joinoperation of the geometrical objects we use. Our approach makesour domain suitable for functional analysis, that is the study of theinput/output relations of the program.

• An e�cient implementation of our abstract domain called Taylor1+.This sophisticated prototype is freely available and distributed withthe APRON Library widely used by the abstract interpretation com-munity.

These contributions will be integrated in Fluctuat, a static analyzer thatstudies the discrepancy introduced by the use of finite-precision represen-tation (such as floating-point numbers) instead of the use of real numbers.

Outline The first chapter motivates the need of the abstract domain wedevelop later in this work. Starting from an ESA-funded industrial casestudy, the formal verification of the source code of the ATV spacecraftusing existing fully-fledged analyzers, has indeed shown an unwanted lossof precision. In chapter 3 we give a detailed overview of the numericalproperties we would like to prove as well as the already existing abstractdomains. We emphasize more particularly the numerical domains to whichwe compare our approach, namely the weakly relational abstract domainsfamily (zones and octagons) and the linear template-based abstract domain.Our abstract domain is introduced in chapter 4, where we define its abstractobjects and its lattice-like structure. The next two chapters formalizes theabstraction of the transfer functions. Chapter 5 focuses on assignments andtests, while chapter 6 is entirely dedicated to the join operation, one of themost challenging issue we have got to solve. Right before the conclusion,our experimental results are gathered in chapter 7, in which we detail thefeatures of Taylor1+, the implementation of our abstract domain.

2

CHAPTER 2Context and Motivations

2.1 Proving Numerical Properties

The need to estimate the computation errors due to the use of floating-point numbers is crucial in order to interpret how significant the returnedresults are. Rounding-o↵ errors or overflows may cause a serious loss ofprecision leading to an unexpected behavior of the software. Althoughscientists and engineers are aware of these intrinsic issues [Gol91, Ste74]and despite the fact that there exists a norm which clarifies and normalizesthe hardware implementation of floating-point arithmetic [IEE85, IEE08],it is hard to tell, given an implementation of an algorithm, if the numericalcomputations are safe, even for small programs.

Whenever, a loss of precision is detected, it is also interesting to pointout the sources of this loss as a helpful feedback for the developer. Indeed,a minor local loss of precision may cause a wrong interpretation of a test,and hence lead to a wrong decision.

To make things clear, we consider the case of solving an ordinary di↵er-ential equation (ODE) using a computer. The solution could be approxi-mated numerically using for instance the Euler method. The Euler methodgives a numerical approximation to the ideal solution of the ODE whichcan not be computed explicitly. The method error is defined by the dif-ference between the Euler approximation and the ideal solution. Now, theEuler approximation is implemented as a computer program. This programuses finite-precision numbers (typically floating-point numbers) for all in-tern computations instead of real numbers, which introduces in turn whatis called the computation error, or round-o↵ error.

3

2. Context and Motivations

Although, the method errors could be theoretically estimated (with re-spect to the real numbers semantics), the computation errors are hard toestimate in general. The use of finite-precision numbers makes the estima-tion even harder. We give hereafter an overview of the known approachesused to estimate the computation errors.

The CESTAC Method

The CESTAC 1 method is useful to self-validate the implementation ofthe numerical approximations used in scientific computing to simulate amathematical model (as a physical law for instance, usually defined as a setof ODE). It permits to measure the confidence one can have in the returnedresults by the software with respect to the use of finite precision numbersinstead of real numbers. It was also successfully applied to find the bestdiscrete step, that is the optimal step that minimizes the global error of thecomputation (the accumulation of the method error and the computationerror), for a wide class of algorithms, such as the Runge-Kutta integrationschemes or numerical derivation methods [Jea90].

The method was introduced by Vignes [Vig78] and uses the stochasticarithmetic [Vig93]. The idea is to inject a random perturbation by addingto the last bit of the mantissa of each resulting float-point number of eacharithmetic operation either 0 or 1 with a probability 1

2for each 2. The

arithmetic operation is then performed according to all possible perturbedvalues of the operands. The final (returned) result is the arithmetic meanof all these possible partial results (samples). The method uses then theStudent’s t-test to estimate the number of significant digits of the finalreturned result, that is the digits common to all samples.

The CESTAC method was later proved e�cient by Chesnaux [JM88](actually only two or three executions are needed instead of all possiblecases which may blow up the computations), and extended to synchronousCESTAC by Faye [JP89] and Flavigny [Fla88]. The synchronous CESTACtests the significance of the result of each operation which permits to detectthe origin of the loss of precision, and hence to emit an alert if the numericalalgorithm is unstable (that is, if the loss of precision due to the use offloating-point numbers leads to a wrong interpretation of a test). TheCESTAC method is implemented in the CADNA (Control of Accuracyand Debugging for Numerical Applications) library [JC08], it permits the

1French Acronym which stands for Control et Estimation STochastique des Arrondis

de Calculs, Stochastic Control and Estimation of Calculus Round-o↵s.2depending on the rounding mode, one might add �1 or 1 with a probability

14 and

0 with a probability12 .

4

2.1. Proving Numerical Properties

validation of the C, ADA, and FORTRAN programs. The CADNA Libraryuses a dynamic approach, it compiles and executes the program in orderto estimate on-the-fly the round-o↵ errors. The overhead of the method isestimated to 3 to 6 times the needed time to execute the algorithm.

Formal Specification of Floating-point Arithmetic

Recently, a specification language for the floating-point arithmetic for Cprograms was introduced in [BF07]. The program is annotated with formalpre- and post-conditions. Then, verification conditions (first order logicstatements) are generated using Hoare logic [Hoa83]. Finally, these condi-tions are discharged, interactively, using a proof assistant.

The considered model to estimate the approximations errors for eachnumber is a triplet : the floating point number, the idealized real numberfound if the computations were actually done with respect to real numberssemantics, and the real number that the algorithm is designed to compute.Therefore, in addition to the discrepancy related to the use of the floating-point numbers (computation error), the method error, that is the numeri-cal error related to the used numerical algorithm, could be also estimatedthanks to the third component.

In [BF07], the authors use the Caduceus tool [FMH] for the static ver-ification of C program and the Coq proof assistant [coq] to discharge thegenerated proof obligations. The proof obligations could be also dischargedusing Gappa tool [dDLM06, Gap]. Gappa relies on interval arithmetic andformal specification of the floating-point number arithmetic to prove errorbounds or the absence of overflows.

Abstract Interpretation-based Approach

This approach is completely automated like the CESTAC method, whilegiving sound estimation of both the computation and method errors likethe formal specification method. It considers all possible executions in asound manner and detects as well any possible loss of precision due to theuse of finite precision numbers.

The method, introduced by Goubault [Gou01a, GMP02] is completelystatic. It relies on the semantics of the arithmetic operations and usesthe Abstract Interpretation framework to approximate the floating-pointcomputation semantics. It analyses the given source code with respectto real number semantics in one hand and floating-point semantics in theother hand. The loss of precision is then implied by the discrepancy ob-served between the results of the two semantics. The technique permits

5


also to infer numerical invariants that the program respects as well as anover-approximation (with respect to both used semantics) of all possiblyreached value for all numerical variables used. Fluctuat tool [Flu] imple-ments such abstract interpreter, using both relational and non-relationalabstract domains.

Mine has also used a similar approach in [Min04a] using linear formswith interval coe�cients to propagate the computation errors. Althoughthis simple technique does not allow an estimation of the method errors,nor the source of the loss of precision as it accumulates the errors usinginterval arithmetic.

Goubault and Putot defined a rich model including the floating pointrepresentative, the ideal real number and the global error of the computa-tion decomposed with respect to its origin (line of the program, number ofiteration, etc.). As detailed in [GP11], the authors use a zonotopic rela-tional domain to derive tight invariants for the real values of the variables,as well as the global error of the computation related to each variable.

This thesis focuses on this zonotopic relational domain. The domainuses the a�ne arithmetic (presented in the next section) to implicitly en-code the relations between variables. The abstract domain is presented indetail with respect to the real number semantics all along the remainingchapters (abstract objects in Chapter 4, and abstract operations in Chap-ters 5 and 6). The improvements presented in this work could be thendeployed to handle the abstract computation of the real values as well asthe global errors.

2.2 Abstract Interpretation

Abstract Interpretation-based Static Analysis is an e�cient way to staticallyand automatically prove the correctness of a program. It gives a genericframework to define and approximate the semantics of a program in a uni-fied manner. The semantics that describe the real behavior of the program(concrete semantics) is in general undecidable. Abstract interpretation of-fers a way to abstract this concrete semantics (or any other semantics) toobtain a decidable semantics involving machine-expressible objects.

Throughout this thesis, new definitions are introduced by the symboldef= , or

def() . The set of real numbers is denoted by R. Each vector ei of

the canonical base of Rn, is defined by 1 in its ith position and 0 elsewhere.The transpose of a vector v (or a matrix M) is denoted using an upper starindex, v⇤ (or M⇤).

An interval is the set of real numbers {x | a x b}, where a, b 2

6

2.2. Abstract Interpretation

R [ {�1,+1}, such that a b. It is denoted by [a, b]. a and b are thebounds of the interval.

The set of intervals is denoted by I. As a convention, we use bold facefonts to denote the elements of I.

For i an element of I, we define:

• inf(i), or i: the infimum bound of i,

• sup(i), or i: the supremum bound of i,

• if i has a finite bounds, then mid(i)def= sup(i)+inf(i)

2,

• if i has a finite bounds, then dev(i)def= sup(i)�inf(i)

2.

We call a hypercube, or box, any subset of Rn of the form ⇧ni=1

[ai, bi].The symbol ✓ denotes the classical inclusion relation over Rn

S1 ✓ S2

def() (x 2 S1 =) x 2 S2) .

Let n be a positive integer, let � be a real number, and let x and y betwo vectors of Rn. An application N : Rn

! R+, is a norm, if and only ifthe following properties hold

• N (x) = 0 () x = 0,

• N (�x) = |�|N (x) (positive homogeneity),

• N (x+ y) N (x) +N (y) (triangle inequality).

A seminorm (or equivalently a quasinorm) is a norm with the first require-ment in the above list removed, that is N (x) = 0 does not imply necessarilythat x is the zero vector. The classical norms over Rn are:

• Euclidean norm: kxk2def=

⇣Pni=1

x2

i

⌘ 12.

• Infinity (or uniform) norm: kxk1def= max{|x1|, . . . , |xn|}.

• Taxicab (or L1, or Manhattan) norm: kxk1def=

Pni=1

|xi|.

The unit ball of Rn, with respect to the norm N is the set defined by

BNdef= {x | N (x) 1} ✓ Rn

.

We denote by B, the unit ball with respect to the infinity norm, the di-mension should be clear from the context, otherwise specified.

We define the sign function sign over R \ {0} as follows:

7


2.2.1 Definition (The Sign Function)

sign(x) =

⇢�1, if x < 0,1, if x > 0,

The sign of 0 is undefined.

Basic definitions and main concepts of abstract interpretation theoryare presented briefly hereafter, following [Min04b].

Partially ordered set A partially ordered set or poset (D,) is a setof elements D together with a partial order relation , that is a binaryrelation which is reflexive (8X 2 D, X X), transitive (8X, Y, Z 2 D, X

Y ^ Y Z =) X Z) and antisymmetric (8X, Y 2 D, X Y ^ Y

X =) X = Y ). Similarly, a partially pre-ordered set is a pair (D,�),where � is a pre-order, that is a binary relation which is reflexive andtransitive. Any partially pre-ordered set (D,�) defines a poset (D/ ⇠,),where the partial order is defined over the equivalence classes defined by

Y ⇠ Xdef() {Y 2 D | X � Y ^ Y � X}. An upper bound of a subset

D of a poset (D,) is an element of D which is greater than or equal toall elements of D with respect to . Similarly, a lower bound of a subsetof a poset is an element which is less than or equal to all elements of thatsubset. A least upper bound, or lub, of a subset D ✓ D, denoted by [D ifit exists, is an upper bound of D which is less than or equal to all upperbounds of D. Dually, a greatest lower bound, or glb, of a subset D ✓ D, ifit exists, is a lower bound of D which is greater than or equal to all upperbounds of D. A poset is directed complete if every increasing chain, that is{Xi}i2I , i, j 2 I, i j =) Xi Xj, admits a least upper bound (the setI ⇢ N, may be infinite). A complete poset is a direct complete poset whichadmits a least element.

Lattice A lattice (D,,[,\) is a poset (D,), where every two elementsX and Y of D admit a least upper bound, denoted by X[Y , and a greatestlower bound, denoted byX\Y . A lattice is complete, if every subset D ✓ D

admits a lub. A complete lattice is a complete poset. A lub of D is denotedby >, and a glb of D is denoted by ?.

Applications An application is a function from a poset (D1,1) to an-other poset (D2,2). It is called operator if it is defined over the same poset.An application J·K : D1 ! D2 that satisfies 8X, Y 2 D1, X 1 Y =)

8


J·KX 2 J·KY is called a monotonic application. An application that pre-serves the limits of increasing chains, that is J·K1([{Xi}i2I) = [{J·K1Xi}i2I ,whenever these limits exist, is said to be continuous. We call the ith iter-ate of an operator J·K, denoted by J·Ki the operator defined by induction

J·Ki def= J·K(J·Ki�1), for i 2 N, where, J·K0 is the identity over D. An

application J·K : D1 ! D2 that preserves the lub (if it exists), that isJ·K[1D = [2{J·KX | X 2 D} for D ✓ D1 is called a complete t-morphism.

Fixpoint A fixpoint of an operator J·K defined over a posetD is an elementX 2 D such that X = J·KX. We denote by lfpXJ·K the least fixpoint, ifit exists, of the operator J·K, greater than or equal to X (with respect tothe partial order of D). Tarsky’s Fixed Point Theorem [Tar55] proves theexistence of the least fixpoint under some assumptions.

2.2.2 Theorem (Tarsky)Let f : D ! D be a monotonic operator on a complete lattice D; then,f has at least one fixpoint. Furthermore the set of fixpoints of f isa complete sub lattice of D, and as a consequence, it admits a leastfixpoint, lfp? f .

Galois connection A Galois connection is a pair of monotonic applica-tions ↵ : D[

! D] and � : D]

! D[ between two posets D[, and D

], suchthat 8X 2 D

[, 8Y 2 D

], ↵(X) ]Y () X

[�(Y ). Thus, 8X 2 D

[,X

[��↵X. The latter property is known as the soundness of abstraction.

The application ↵ is called the abstraction, the application � is called theconcretisation.

Operator abstraction Operator abstraction stands for the transfer of agiven operator J·K[ defined over the poset D[, through a Galois connection(↵, �), to obtain an operator J·K] defined over D

]. An abstract operatorJ·K] is a sound operator if, for all Y 2 D

], ↵ � J·K[ � �Y ] J·K]Y . For

instance, J·K] def= ↵ � J·K[ � � is a sound abstraction of the operator J·K[.

The soundness property is equivalent to J·K[ � � [� � J·K], by definition

of the Galois connection. The latter formulation is suitable to prove thesoundness property whenever we do not have an explicit ↵ which is usuallythe case in practice.

9


Fixpoint computation If two complete posets D[ and D] are linked by

a Galois connection, where � is continuous, and if J·K] is a monotonic soundabstraction of a monotonic operator J·K[; then, by [Cou02, Theorem 1],

8X 2 D], lfp�(X)

J·K[ [�(lfpXJ·K]) .

That is, the least fixpoint greater than or equal to �(X) in D[, for a given

X 2 D], is over-approximated by the concretisation of the least fixpoint

greater than or equal to X in D]. If D] is a complete poset; then, Kleene’s

Theorem gives an algorithm to compute such fixpoint iteratively:

2.2.3 Theorem (Kleene)Let F : D ! D be a monotonic operator over a complete poset D. Then,

the increasing chain Fi starting from ?

def= [;, admits a limit F !, and

F! = lfp? F .

Starting from the bottom element, and applying successively the opera-tor F , the computation converges towards the least fixpoint of F . However,if the complete poset D has an infinite strictly increasing chain; then, theprocedure may take an infinite time. In general, we apply convergenceacceleration.

Convergence acceleration A convergence acceleration is an operatorused to reach in finite steps a post-fixpoint. A post-fixpoint of a monotonicoperator J·K] defined over the poset D], is an element X 2 D

] that satisfiesJ·K]X ]

X. Usually such operation is denoted by r] and called widen-ing. We also find in the literature the dual operation to widening, callednarrowing which aims at bringing closer (to the fixpoint) the post-fixpointobtained after a widening.

In the sequel, we define then use a simple imperative language for thesake of clarity. Semantics of real imperative languages, such as C, can beextended easily. We suppose that the only possible type for numericalvariables is the real number type. In our language SimpleC, a statement shas the following grammar:

10


2.2.4 Definition (SimpleC Grammar)

s ::= v expr (assignment)| if bexpr then s (conditional)| while bexpr do s (loop)

expr ::= v | [a, b] | expr ⇧ expr |pexpr,

bexpr ::= expr 0 | expr = 0¬bexpr | bexpr ^ bexpr | bexpr _ bexpr,

where v 2 V , a, b 2 R [ {�1,+1}, ⇧ 2 {+,�,⇥,÷}

The arithmetic operations are restricted to {+,�,⇥,÷}. The languageallows non-deterministic inputs, expressed by intervals. Arrays and aliasesare not supported.

The concrete semantics of our simple language describes the mathemat-ical behavior of the values of variables during the execution of the program.A program environment � 2 ⌃ maps each variable to a set of values, that

is ⌃def= V ! }R. The semantics JeK of an expression e 2 expr maps an

environment to a set of values in }(R).

8e 2 expr,JeK : ⌃! }(R)

JvK� def= {�(v)}

J[a, b]K� def= {x 2 R | a x b}

Je1 ⇧ e2K� def= {x1 ⇧ x2 | x1 2 Je1K�, x2 2 Je2K�}

where ⇧ 2 {+,�,⇥}

Je1 ÷ e2K� def=

⇢;, if 0 2 Je2K�{x1 ⇧ x2 | x1 2 Je1K�, x2 2 Je2K�}, otherwise.

JpeK� def

=

⇢;, if 8x 2 JeK�, x < 0{px | x 2 JeK� \ [0,+1]}, otherwise.

We do not store the locations of any error (here the division per zeroand the square root of a negative real number are the only numerical er-rors that may happen). In a real analyzer, the semantics of expressions iscontext sensitive, (for instance the location of the operation is recorded);thus, whenever an error occurs, its context is reported to the user withoutnecessarily halting the analysis.

We define the concrete semantics as the complete t-morphism on D[ def=

11


(}(⌃),✓,t,u, ;,⌃) as follows:

JsK[ : D[! D

[

Jv eK[& def= [�2&{�[v 7! x] | x 2 JeK�}

Jif b then sK[& def= {JsK[ � JbK[}& [ J¬bK[&

Jwhile b do sK[& def= J¬bK[(lfp& �X.X [ (JsK[ � JbK[)X)

where JbK[& def= [�2&{� | 9 x 2 JeK�, b is true} .

(2.2.1)

The environment �[v 7! x] denotes the environment derived from � thatassigns the value of the variable v with the real number x and leaves allother variables unchanged. We use the lambda-calculus functional notation�X.F (X) to denote the application that maps X to F (X).

The semantics of the conditional statements JbK[, applied to a set ofconcrete environments, filters out the concrete environments that do notsatisfy the condition.

The concrete semantics J·K[ is undecidable in general. The set of envi-ronments may need infinite memory, and computation of the set of locationsinfinite time. To address these issues, we abstract the concrete semantics toobtain an abstract semantics which is i) decidable and ii) whose abstractobjects are machine-expressible, and iii) which is sound.

To define an abstract semantics, one needs to define an abstract lattice,that is a partial order ✓], an abstract join operator [] over abstract ele-ments, and a monotone abstract operator for every concrete operator JsK[,and every statement s that defines the initial language, and a continuousconcretisation function �.

Figure 2.1 depicts the main idea of abstract interpretation, where Xi

denotes the sets of reached values at the control point i of the program.The final invariants are over-approximations of the concrete sets of values.

2.3 Fluctuat

Fluctuat [Gou01b, GMP02, Mar02, GMP06, GP11] is a static analyzer byabstract interpretation developed at the Laboratory for the Modelling andAnalysis of Interacting Systems (LMeASI) at CEA LIST. It is suited tothe analysis of numerical programs; in particular it gives a tight over-approximation of the discrepancy introduced by the use of finite precision(floating-point or fixed-point) numbers instead of real numbers. It keepstrack of the contribution of each statement to the global error. Division

12

2.4. The ATV Case Study

X1 ✓ ↵ � �(X ]1) X

]1�

X2

Jv ...K[

✓ �(X ]2) X

]2�

Jv ...K]

↵

abstract domainconcrete domain

over approximation

Figure 2.1: Abstract Interpretation.

by zero, overflows, unstable tests are also reported by the analyzer. Fluc-tuat was successfully applied in many case studies [GPBG07, DGP+09,BCC+09].

2.4 The ATV Case Study

The case study was an ESA funded project which main goal was the assess-ment of the abstract interpretation-based static analysis techniques on reallife, automatically generated, industrial code. The source code, providedby Astrium Space Transportation, concerned the Monitoring and SafingUnit (MSU), the heart part of the Automated Transfer Vehicle (ATV).The spacecraft’s mission was to supply, completely automatically, the In-ternational Space Station, ISS, with payloads (mainly fuel, and equipmentfor reactors) and to correct the spatial station orbit. To achieve successfullyits mission, the ATV needs to dock into the ISS. In addition to the navi-gation, the MSU was in charge of the critical “take-away” phase triggeredif any problem happens during the docking phase. Indeed, any failure ofthe docking phase can seriously damage the ISS as the engine operates tooclosely.

Two abstract interpretation-based static analyzers were involved: Fluc-tuat (see Section 2.3) and ASTREE. I was in charge of evaluating Fluctuaton this case study (during my master’s internship).

ASTREE [Ast], Analyses Statiques de Logiciels Temps REel Embarques,is a static analyzer by abstract interpretation developed at the Laboratoire

13


d’Informatique de lEcole Normale Suprieure. It aims at automatically prov-ing the absence of run-time error (RTE): division by zero, out of boundsarray indexing, arithmetic overflow and user defined assertions given as in-put to the tool. ASTREE is avionic software oriented and was successfullyapplied in an industrial context [SD07, BCC+10].

The study has shown that the techniques in use are mature enough to bedeployed as integrated tools within any project development cycle using Clanguage 3 in that they substantially improve the reliability of the code witha reasonable time overhead. The main results are summarized in [BCC+09].

However, the case study has also shown that the current state-of-the-art of abstract domains are not fully suitable for space-like software becauseof the use of normalized quaternions (vectors of four dimensions). Thesequaternions are used to encode the space position of the spacecraft andexpress its possible motions (translation, space rotations) as linear trans-formations (matrix multiplications).

To have a good intuition about quaternions, the reader can think aboutthe use of the complex numbers to encode the position of a point in theplan, together with the fact that all plan similitudes in the plan can be seenas 2⇥ 2 matrix multiplication.

Some (quaternion) operations implemented in the MSU determine onlythree components (the position of the spacecraft in the space) of the quater-nion, the fourth remaining component is computed in a way for the finalquaternion to have its Euclidean norm equal to 1. The other operationsthat determine all components, normalize the result. So that any quater-nion given as input to any routine is always normalized.

These normalization operations were hard to abstract precisely usingexisting relational domain. Indeed, they involve four non-linear operationscombined together: the square, the square root, the inverse and the multi-plication.

Suppose we have the non-null quaternion (x0, x1, x2, x3), where xi, areknown real numbers; then, the normalized quaternion (y0, y1, y2, y3) is de-fined by

yidef=

xipx2

0+ x2

1+ x2

2+ x2

3

. (2.4.1)

In the abstract domains used, the evaluation of the expression of yi iscomputed as a composition of basic arithmetic operations. Each operationintroduces an approximation error term which in turn is propagated to thenext operation. This makes it hard for instance to prove that the intervalconcretisations of yi have to still within [�1, 1], which should happen for

3The current version of Fluctuat supports Ada language.

14

2.4. The ATV Case Study

a normalized quaternion. Since the normalization is repeated frequently,the intervals concretisations grow quickly leading to imprecise results andmany false alarms.

One naive technique to address such problem is subdivision. However,subdividing 4 intervals into 10 smaller intervals gives 104 possible instancesto analyze just for one normalization. The solution does not scale for thewhole code.

Another technique could be the linearization of the whole expressiononce instead of the evaluation of the composition of basic operations. How-ever, this method works only if the assignment is done once, as shown byequation (2.4.1) for instance. However, very often, in critical embedded sys-tems, some operations such as the square root or the division are wrappedby safe guards, and thus the assignment is decomposed into more than oneassignment using intermediate variables.

One other solution could be the transformation of the normalizationfunction by an equivalent expression which computes the quotient of twoindependent terms; for y0 for instance, the computation is done as follows:

y0 =sign(x0)q1 + x2

1+x22+x2

3

x20

which proves that yi, 1 i 4 are within [�1, 1] using interval arithmetic,since the numerator and denominator are no longer dependent.

However, in general, rewriting the code by the analyzer is not allowed,so for the purpose of the case study, we have proved the correct behaviorof the normalization operation using an external prover [dDLM06]. Wehave then asserted that the intervals of the components of a normalizedquaternion are always within [�1, 1].

Another idea was to add a (quadratic) constraint which ensures that thevector y is normalized, that is y2

0+ y

2

1+ y

2

2+ y

2

3= 1 to an existing abstract

domain.In the A�ne forms-based abstract domain, implemented in Fluctuat,

such constraint could be expressed as a constraint on the noise symbolsand propagated as such for future computations. This novel idea motivatesour work as it also permits to precisely interpret tests, which were treatedby a reduced product with intervals so far. The rest of this thesis developsand formalizes in detail this idea.

15

CHAPTER 3Numerical Abstract Domains

One of the main drawbacks of static analysis by abstract interpretation isthe number of false positives which are strongly related to the expressivenessof the underlying abstract domain. Indeed, the sound over-approximationusually adds unfeasible behaviors to the actual behavior of the program.The non-relational abstract domain [CC77] detailed earlier is for instanceunsuitable to prove any dependency between variables. On the other hand,the abstraction is needed to overcome the decidability and computabilitylimitations encountered when dealing with the concrete semantics of theprogram.

As an attempt to fill this gap, many abstract domains have been de-veloped in the last three decades. In 1978, Cousot and Halbwachs [CH78,CMC08] presented a way to synthesize linear invariants using the doubledescription of a set of linear constraints, generalizing Karr’s special case oflinear equalities [Kar76] presented in 1976. The exponential complexity ofthe analysis mainly due to the internal representation of a convex combi-nation of a set of linear constraints (convex Polyhedron) motivated weaklylinear relational abstract domains. In [Min01] Mine introduced the octagonabstract domain, which is restricted to invariants of the form ±X ± Y c.The e�cient internal representation gives a cubical complexity in the num-ber of variables. Later, Simon et al. in [SKH03] extend the coe�cients tobe any real number instead of being constrained to ±1. Sankaranarayananand Manna in [SSM05] combine the two previous approaches in their guidedpolyhedra abstract domain: the linear constraints are restricted to a finiteset of linear templates generated from the program to analyze. In addi-tion to all these explicit relations-based abstract domain, Goubault andPutot [GP06] introduced an implicit relations-based on abstract domain,

17

3. Numerical Abstract Domains

using a�ne arithmetic as an extension to interval arithmetic to overcomeits intrinsic dependency problem.

More recent and very promising abstract domains have targeted non-linear invariants. Allamigeon, Gaubert and Goubault, have used tropicalalgebra [SS04] to infer min-max invariants [AGG08], while in [AGG10] Adje,Gaubert and Goubault, have used Lyapunov functions as non-linear tem-plates together with SemiDefinite Programming relaxations for the fixpointcomputation using policy iterations instead of value iteration (Kleene liketechniques). The latter is a rising technique to cope with the limitationsof Kleene iteration technique and was already formalized for other abstractdomains [CGG+05].

Many abstract domains could be combined (in a manner to define) inorder to increase the overall expressiveness of the analysis, and hence in-crease the precision of the final results. Cousot and Cousot pointed outin [CC77] a generic framework, called reduced product [CC79, Cou05], tocombine two abstract domains. For instance Laviron and Logozzo exploitthis combination in their sub-polyhedra abstract domain [LL09], which stillsu↵ers from the complexity of the polyhedra domain. In 2006, Tiwari andGulwani have presented an elegant framework, called logical product, forcombining abstract domains under some hypothesis [GT06]. The logicalproduct allows a better and richer exchange of relations between the in-volved abstract domains than the reduced product which exchanges onlythe concretisations of the involved domains.

Contents In the remaining part of this chapter, we detail some abstractdomains relevant to our work. In section 3.1, we recall the basics of theinterval arithmetic first; then, we abstract the concrete semantics of ourSimpleC language using intervals. Section 3.2 focuses on two (explicit)relational domains, namely the Polyhedra abstract domain 3.2, and theLinear Templates abstract domain 3.2. The a�ne arithmetic as well asmost of its known extensions are covered by Section 3.3. The PerturbedA�ne Sets abstract domain is briefly introduced in Section 3.3. The lastsection summarizes the main ideas behind the reduced product (Section 3.4)and the logical product (Section 3.4) of abstract domains.

18

3.1. Non Relational Abstract Domain

3.1 Non Relational Abstract Domain

Interval Arithmetic

Interval Arithmetic [MY59] stands for rules that govern the computationsusing intervals instead of real numbers. The basic arithmetic operationsover intervals are reduced to simple operations on operands’ bounds. Forany operation � 2 {+,�,⇥,÷}, we have:

[u,u] � [v,v]def=

[min{u � v,u � v,u � v,u � v},max{u � v,u � v,u � v,u � v}] . (3.1.1)

Computing all the combinations of bounds is not necessary for all operationslisted above. For instance,

[u,u] + [v,v]def= [u+ v,u+ v], (3.1.2)

[u,u]� [v,v]def= [u� v,u� v] . (3.1.3)

For the division operation, whenever the denominator interval containszero, the result is undefined, and the only possible result is the real line,that is R.

Observe that, an interval does not have an additive inverse, and i � idoes not vanish to zero (e.g. [1, 2]� [1, 2] = [�1, 1]). Similarly, an intervaldoes not have a multiplicative inverse, and i ÷ i, assuming that 0 is notwithin i, is not equal to 1 (e.g. [1, 2] ÷ [1, 2] = [0.5, 2]). Furthermore, themultiplication operation (⇥) does not distribute over the addition operation(+). We have instead a weaker notion of sub-distributivity (with respect tothe relation order of inclusion over intervals).

w ⇥ (u+ v) ✓ w ⇥ u+w ⇥ v

For instance, [1, 2] ⇥ ([�3,�2] + [3, 4]) is equal to [0, 4] if the additionoperation is evaluated first, and [�3, 6] if we distribute the multiplicationoperation. Both intervals contain all true values, but the former is tighter(in the sense that [0, 4] ✓ [�3, 6]). Also, the square of an interval, maycontain non-positive values, e.g. [�1, 2]⇥ [�1, 2] = [�2, 4].

The main reason behind these subtleties in arithmetic operations overintervals comes from the fact that substituting variables by their respectiveintervals loses all relations between the involved variables. As a matter offact, if the variables x and y are within the same interval [�1, 2], then eval-uating x

2 or xy in interval arithmetic leads to the same interval operation,namely [�1, 2]⇥ [�1, 2] (= [�2, 4]). Whereas, all values in [�2, 4] are pos-sible for xy, only the positive values, that is the interval [0, 4], may occurfor x2.

19


Intervals Abstract Domain

We abstract our concrete semantics (see equation (2.2.1)) using the latticeof intervals. If (D,,[,\,?,>) is a complete lattice (resp. complete poset,poset), and V is a set, then (V ! D, , [, \, ?, >) is a complete lattice(resp. complete poset, poset) called the structural lifting of D. The point-wise lifting operations are defined as follows

XYdef() 8v 2 V,X(v) Y (v)

[X (v)def= [{X(v) | X 2 X}

\X (v)def= \{X(v) | X 2 X}

?(v)def= ?

>(v)def= >

The abstract program environment ⌃] : V ! I maps each variable to an

interval. The abstract domainD] def= (⌃]

,✓],[

],\

],?

],>

]) is the structurallifting of the lattice of boxes (I,✓ı,[ı,\ı, ;, [�1,+1]), defined as follows:

i ✓ı jdef() sup(i) sup(j) ^ inf(j) inf(i)

i [ı jdef() [min{inf(i), inf(j)},max{sup(i), sup(j)}]

i \ı jdef() [max{inf(i), inf(j)},min{sup(i), sup(j)}]

The abstract evaluation of arithmetic expressions is then given by:

8e 2 expr,JeK] : ⌃]! I

JvK]�] def= �

](v)

J[a, b]K]� def= [a, b]

Je1 ⇧ e2K]�] def= Je1K]�]

⇧ı Je2K]�]

where⇧ı 2 {+ı,�ı,⇥ı}

Je1 ÷ e2K]� def=

⇢[�1,+1], if 0 2 Je2K]�Je1K� ÷ı Je2K]�, otherwise.

20

3.1. Non Relational Abstract Domain

We now give a sound abstraction of the concrete operator [CC77]:

JsK] : D]! D

]

Jv eK]�] def= �

][v 7! JeK�]]

Jif b then sK]�] def= JsK] � JbK]�]

[] J¬bK]�]

Jwhile b do sK]�] def= J¬bK](lfp�] �X.X [

] (JsK] � JbK])X)

where JbK]�] def= []{�]

| b is true} \]�].

The abstract environment �][v 7! JeK�]] maps each variable v to the intervalgiven by JeK�], that is the evaluation of the expression e when the variablesare within �

](v1)⇥ . . .⇥�](vp). For instance, if e = v� c where v 2 V , then

Je 0?K]�] = �][v 7! �

](v) \ [�1, c]]

Indeed, Jv � cK]�] = �](v) � [c, c], and the least upper bound of the set of

intervals {i | i� [c, c] 0} is equal to [�1, c]. Similarly, we have

Jv � c � 0?K]�] = J�e 0?K]�]

= �][v 7! �

](v) \ �[�1,�c]]

= �][v 7! �

](v) \ [c,+1]] .

3.1.1 Example (Abstraction using intervals)We compute the least fixpoint of the classical loop program [CC77] givenbelow.

x 0;while (x 100) do

x x+ 1;return x;

We are interested in the final value of variable x for any execution of theabove simple loop. The behavior of the program can be then formalized by:

P[ def= Jwhile x 100 do(x x+ 1)K[ � Jx 0K[?[

,

where ?[ denotes the environment that maps Vdef= {x} to the empty set

(the bottom element of the partition set }(R)). We compute the fixpointwith respect to the intervals abstract domain earlier defined. The concreti-sation of the abstract fixpoint gives an over-approximation of the fixpoint

21


we seek. We have:

?](x) = ;

Jx 0K]?] = ?][x 7! [0, 0]]

Jx x+ 1K]�] = �][x 7! �

](x) + [1, 1]]

Jx� 100 0?K]�] = �][x 7! �

](x) \ [�1, 100]]

Jx� 100 � 0?K]�] = �][x 7! �

](x) \ [100,+1]]

The semantics of the program in the abstract domain is given by

P] def= Jwhile x 100 do(x x+ 1)K]?][x 7! [0, 0]] .

It involves a fixpoint computation:

lfp?][x 7![0,0]] ��].F

](�]),

where F](�])

def= �

][

] (�][x 7! �](x) + [1, 1]]), �

] def= �

][x 7! �](x) \

[�1, 100]].We use the Kleene iteration technique to compute such fixpoint. The

operator F ] is by construction monotonic.We start the iteration with ?][x 7! [0, 0]], at each iteration we evaluate

�] then F

]:

�] = ?][x 7! [0, 0] \ [�1, 100]]

= ?][x 7! [0, 0]] .

The first iteration (F ])1gives:

(F ])1

?][x 7! [0, 0]] = ?][x 7! [0, 0]] []

�][x 7! �

](x) + [1, 1]]

= ?][x 7! [0, 0]] [] ?][x 7! [1, 1]]

= ?][x 7! [0, 1]]

After 101 iterations, we obtain (F ])101?

][x 7! [0, 0]] = ?][x 7! [0, 101]],and for the iteration 102,

�] = ?][x 7! [0, 101] \ [�1, 100]]

= ?][x 7! [0, 100]] .

22

3.2. Explicit Relational Abstract Domains

and

(F ])102

?][x 7! [0, 0]] = F

](?][x 7! [0, 101]])

= ?][x 7! [0, 101]] [] �][x 7! �](x) + [1, 1]]

= ?][x 7! [0, 101]] [] ?][x 7! [0, 100] + [1, 1]]

= ?][x 7! [0, 101]] [] ?][x 7! [0, 101]]

= ?][x 7! [0, 101]]

= (F ])101

?][x 7! [0, 0]] .

The increasing chain stabilizes at the iteration 102, its limit ?][x 7! [0, 101]]is the least fixpoint of the operator F ]. We finally obtain a sound supersetof the values of the variable x:

P[

[�(?][x 7! [100, 101]]) = [100, 101] .

3.2 Explicit Relational Abstract Domains

Polyhedra Abstract Domains

The polyhedra abstract domain [CH78] catches and propagates explicit lin-ear relations between variables such that b1x1 + b2x2 �, where x and y

are two numerical variables and ↵, �, and � are real numbers.The internal abstract object has two dual representations: an external

representation and an internal representation.

external representation: a polyhedron is defined as the intersection of afinite set of a�ne subspaces of Rp, where p is the number of numer-ical variables abstracted. Each a�ne subspace is in fact representedby hx,↵ii �i. Equalities, hx,↵ii = �i, are represented by two in-equalities, hx,↵ii �i and hx,�↵ii ��i. A polyhedron is then bydefinition a convex subset of Rp.

internal representation: a polyhedron is generated by a finite set of ver-tices {vi, 1 i k}and a finite set of rays {ri, 1 j m}. Thepolyhedron consists of all vectors of the form

{

kX

i=1

�ivi +mX

j=1

�jrj | �i � 0, �j � 0,kX

i=1

�i = 1} .

The duality of both representations is a classical result (see for in-stance [Roc70, Theorem 19.1]).

23


The intersection of two polyhedra is exactly represented by a polyhe-dron, the join of two polyhedra is their convex hull which is also a poly-hedron. Using the convex hull as a join and the geometrical inclusion asa partial order, the set of polyhedra defines a lattice. The lattice is notcomplete, as we can extract an infinitely increasing chain which convergestoward a circle (regular polygons inside a circle).

The set-theoretic operations (the meet and the join) are easier to de-fine using the external representation: the intersection is for instance theconcatenation of both lists of inequalities of the given polyhedra. The as-signment operations are more convenient to define using the internal repre-sentation, for instance any linear expression can be immediately computed(linear time) using the generators representation. Therefore, the transfor-mation from one representation to the other is a central operation to definean abstract domain using polyhedra.

The Chernikova’s algorithm enhanced by Le Verge [Le 92] permits suchtransformation. The transformation minimizes the number of constraints(or generators) in the resulting polyhedron. Its worst-time complexity isexponential in time and in memory cost (function of number of variables p).The minimal number of generators needed to represent a given polyhedrain its minimal inequalities representation can be exponential.

The algorithm is implemented in two recent libraries, the Parma Poly-hedra Library [Pro] and the Polka Library [Ja]. In practice the exponentialcomplexity can be observed even for simple programs with 5 variables butwhich alternate set-theoretic operations and assignments. The polyhedraabstract domains in APRON Library are based on these two implementa-tions.

Linear Templates

Polyhedra Templates abstract domain [SSM05] overcomes the complexityproblem observed in classical polyhedra by fixing the directions of the poly-hedra used during the analysis. The directions are fixed using a templateconstraint matrix T and only inequalities of the form T (x1, . . . , xp)+ c � 0,are allowed, where T is an m ⇥ p matrix, and c 2 Rm. Such an approachlimits the expressiveness of the domain compared to the polyhedra domain;however, it improves the worst-case complexity from exponential (in thethe classical polyhedra case) to polynomial with respect to the number ofprogram variables.

As the internal representation of Templates is fixed, there is no moreneed to switch between the external and the internal representations ofthe polyhedron. The abstraction of linear assignment involves m linear

24

3.2. Explicit Relational Abstract Domains

problems to solve: as any linear assignment can be expressed as Ax+b � 0,(where A is an n ⇥ p matrix and b 2 Rn) and the templates matrix T isfixed, it su�ces to find the smallest ci, 1 i m, such that Tx + c � 0satisfies Ax+b � 0. If we apply Farka’s Lemma [Roc70, Theorem 22.3], suchproblem is transformed into m linear programs, involving each n variablesand p constraints.

The geometrical inclusion is no more a partial order because of the fixedshape of the polyhedra, it is instead a pre-order, which is quotiented by anequivalence class to define a partial order. The intersection and the joinoperators are defined piecewisely using respectively the minimum and themaximum operators over the vectors “c” of the operands.

The synthesis of matrix T which fixes the directions of the analysismay benefit from the initial constraints, guards or properties one needs toprove. Authors in [SSM05] introduce the notion of support vector whichgives additional constraints one can include in T . The support vector of acoe�cient vector a is defined with respect to a (linear) transition systemx Ax + b, by A

⇤a (where ⇤ denotes the transpose operator). In fact, if

ha, xi � 0, and we substitute x by Ax+ b, then the new coe�cient vector ofx is A⇤

a (using the classical duality of the scalar product). Of course, theseheuristics may not in general be optimal to catch exactly the invariants(even linear) of a given problem.

Discussion Observe that linear templates generalize the octagons ab-stract domain as one can easily define matrix T to catch exactly the in-equalities of the form ±xi ± xj ci. Thus, the domain is at least asexpressive as octagons and strictly less expressive than classical polyhedra.However, the native octagons abstract domain is more e�cient than thisgeneric approach. The internal representation using Di↵erential Bound Ma-trices (DBM) is more e�cient (cubical complexity). Moreover, for a soundand e�cient implementation of the templates abstract domain, one needs touse a guaranteed LP solver, such as [Kei05] 1, in order to use safely floating-point numbers, which is expensive as it solves many times the same problemto come up with safe bounds.

1A recent and interesting survey of software packages for verified linear programming

can be found in [Kei08].

25


3.3 Implicit Relational Abstract Domains

A�ne Arithmetic

A�ne arithmetic has been successfully used in many fields from the self-validation of numerical algorithms [CS93] where it was firstly introduced, toreliable computing to come up with tight enclosing intervals [Kol01, Kol04,Miy00, MK04a], and algebraic surface plotting [SLMW06].

In what follows, we motivate the use of a�ne forms by the dependencyproblems observed in both interval arithmetic, and an extension of IA, calledgeneralized intervals.

Generalized Intervals

To overcome this dependency problem observed in interval arithmetic, El-don R. Hansen proposed in 1975 an extension to intervals, called Gener-alized Intervals [Han75]:

3.3.1 Definition (Generalized Intervals)A generalized interval, also known as Hansen’s form, x is defined by

xdef= cx0 + cx1⇣1 + · · ·+ cxn⇣n = cx0 +

nX

i=1

cxi ⇣i

where {cxi }0in are intervals and {⇣i}1in are symbolic variables knownto be in centred intervals (of the form [�ri, ri]). The parameter n, numberof ⇣i is fixed for all generalized intervals.

The symbolic variables {⇣i}1in express the dependency between vari-ables. Conversions to and from classical intervals are defined as follow:

3.3.2 Definition (Conversion from interval)Let x be an element of I. If x has an infinite bound, then cx0

def= x, and

cxi = [0, 0], for all i in 1 . . . n. Else,

xdef= [mid(x),mid(x)] + [1, 1]⇣1,

where ⇣1 is unknown but has its values within [� dev(x), dev(x)].

3.3.3 Definition (Conversion to interval)The interval related to x = cx0 +

Pni=1

cxi ⇣i is the result of the evaluation ininterval arithmetic of the following expression:

xdef= cx0 +

nX

i=1

cxi [�ri, ri] .

26

3.3. Implicit Relational Abstract Domains

Let x and y be two generalized intervals. We define the addition, sub-traction and scalar multiplication by

x+ ydef= (cx0 + cy0) +

nX

i=1

(cxi + cyi )⇣i (3.3.1)

x� ydef= (cx0 � cy0) +

nX

i=1

(cxi � cyi )⇣i (3.3.2)

�xdef= (�cx0) +

nX

i=1

(�cxi )⇣i (3.3.3)

The operations on coe�cients, cxi and cyi , are computed w.r.t. intervalarithmetic introduced above (Equation 3.1.1).

Using generalized intervals and their related arithmetic instead of in-terval arithmetic is more expensive in time and memory since one has torecord n intervals instead of just one interval. Nevertheless, it is possibleto track relations between variables using the shared ⇣i between variables.For example, suppose that we have to compute an enclosure of the directimage of the function f : [0, 1] ! R defined by f(x) = 2x � x. The ex-act interval is [0, 1] for f(x) since f(x) = x. Using interval arithmetic,we obtain f(x) 2 [2, 2] ⇥ [0, 1] � [0, 1] = [0, 2] � [0, 1] = [�1, 2] 2. Thiscatastrophic result can be improved using generalized intervals: we firstconvert [0, 1] into its related generalized interval, x = [0.5, 0.5] + [1, 1]⇣1,where ⇣1 is within [�0.5, 0.5]. Then the generalized interval of f(x) is2⇥ x� x = [0.5, 0.5]+ [0.5, 0.5]⇣1. Converted to an interval, the generalizedinterval of f(x) gives the exact result, that is [0, 1]. Moreover, we havethe relation f(x) = x, encoded implicitly, since x and f(x) have the samegeneralized interval.

Coe�cients of generalized intervals are intervals. The lack of precisionobserved in interval arithmetic may also happen for these coe�cients, whichprevents the needed cancellation to occur. The next section presents A�neForms, a special case of Hansen’s forms where the coe�cients are real num-bers instead of intervals.

A�ne Forms

A�ne Forms [CS93] were introduced in 1993 by Joao L. D. Comba andJorge Stolfi. They are defined as follows:

2For this simple example, one could use symbolic enhancement which addresses lo-

cally such problem; however, we could easily imagine that f(x) is computed using inter-

mediate variables. Therefore, the symbolic computation is no more immediate.

27


3.3.4 Definition (A�ne forms)An a�ne form a is defined by

adef= ↵

a0+ ↵

a1✏1 + · · ·+ ↵

an✏n = ↵

a0+

nX

i=1

↵ai ✏i,

where ↵a0, . . . ,↵

an are real coe�cients, called partial deviations, and ✏1, . . . , ✏n

are symbolic variables, called noise symbols, known to be within [�1, 1]. Thenumber of noise symbols is not a priori fixed.

The set of a�ne forms is denoted by A.In Definition 3.3.4 coe�cients, or partial deviations, {↵a

i }0in are realnumbers, and not intervals as seen in Hansen’s forms. A�ne forms can beseen as special generalized intervals where all coe�cients are points inter-vals, and each symbol ⇣i is reduced to dev(⇣i)✏i.

3.3.5 Definition (Conversion to intervals)The range of an a�ne form a, denoted by the bold face notation a, is

adef= [↵a

0�

nX

i=1

|↵ai |,↵

a0+

nX

i=1

|↵ai |] .

3.3.6 Definition (Conversion from intervals)If i is a bounded interval in I, then

idef= mid(i) + dev(i)✏f .

The noise symbol ✏f is a fresh noise symbol not used elsewhere. Un-bounded intervals and the empty set can not be converted to a�ne formswith respect to Definition 3.3.4, since all the coe�cients of a�ne formsare finite real numbers. The convention uses intervals without any furthertransformation to handle unbounded intervals.

The joint range of a set of a�ne forms Adef= {a1, . . . , ap} for p � 2,

is the set of all possible values taken by (a1, . . . , ap) whenever the vector(✏1, . . . , ✏n) ranges over Bn. Formally, the joint range is the image of {1}⇥Bn

under the linear transformation defined by matrix CA2M(p, n+ 1)

0

[email protected]

1

CA =

0

B@↵a10

· · · ↵a1n

......

↵ap0

· · · ↵apn

1

CA

| {z }CA

⇥

0

BBB@

1✏1...✏n

1

CCCA

28


a1

a2

1 10 19

1

5

9

Figure 3.1: The joint range (the center symmetric polygon in dark gray) oftwo a�ne forms. This zonotope is spanned by the generators drawn in itscenter. The box a1 ⇥ a2 (light gray) encloses the zonotope.

�(A)def= {C

A" | " 2 {1}⇥ B

n} ⇢ Rp

.

The geometrical concretisation �(A) is a center symmetric polytopecalled zonotope. The center is the vector given by the first column of matrixC

A. The other vectors of CA, that is, (↵a1i , . . . ,↵

api )⇤, for 1 i n, are the

generators of the zonotope (see Figure 3.1).

3.3.7 Example (Joint range of two a�ne forms)Let A be the set of a�ne forms defined by

A =

✓a1

a2

◆=

✓10 �4✏1 +1✏3 +3✏45 �2✏1 +1✏2 �1✏4

◆.

The joint range (the zonotope), �(A), together with the box a1⇥ a2 areshown in Figure 3.1. Shared noise symbols ✏1 and ✏4 give extra informationabout the relative correlations between variables a1 and a2.

The linear operations over a�ne forms are straightforward:

29


3.3.8 Definition (Linear operations)Let a and b be two a�ne forms, let �, ⇣ be two finite real numbers, then

a± bdef= (↵a

0± ↵

b0) +

nX

i=1

(↵ai ± ↵

bi)✏i (3.3.4)

�adef= �↵

a0+

nX

i=1

(�↵ai )✏i (3.3.5)

a+ ⇣def= (↵a

0+ ⇣) +

nX

i=1

↵ai ✏i (3.3.6)

Non a�ne operations over a�ne forms have to be linearized. This isachieved by over-approximating the error introduced by the linearization,then adding a fresh noise symbol that is a noise symbol which is not usedelsewhere for any a�ne forms.

The multiplication operation motivates many extensions, detailed here-after, of a�ne forms in order to reduce the range of the final result.

The multiplication operation Let a and b be two a�ne forms, then

a⇥ b =⇣↵a0+

nX

i=1

↵ai ✏i

⌘⇣↵b0+

nX

j=1

↵bj✏j

⌘(3.3.7)

= ↵a0↵b0+

nX

i=1

(↵a0↵bi + ↵

b0↵ai )✏i +

nX

i=1

nX

j=1

↵ai↵

bj✏i✏j (3.3.8)

The non-linear term (actually quadratic) term in Equation 3.3.7 is lin-earized in several ways. All of them bound first the non-linear term, thenconvert it to an a�ne form (using Definition 3.3.6).

• centered form [dFS97]: uses a generous range for ↵ai↵

bi✏i✏j, that is

|↵ai↵

bi |, then

a⇥ bdef= ↵

a0↵b0+

nX

i=1

(↵a0↵bi + ↵

b0↵ai )✏i +

1

2

nX

i=1

nX

j=1

|↵ai↵

bj|✏n+1 .

• decentered form [Miy00]: uses the fact that for i = j, the values of✏i✏j are within [0, 1]; thus,

a⇥ bdef=

⇣↵a0↵b0+

1

2

nX

i=1

↵ai↵

bi

⌘+

nX

i=1

(↵a0↵bi + ↵

b0↵ai )✏i

+⇣12

nX

i=1

|↵ai↵

bi |+

X

1i<jn

|↵ai↵

bj + ↵

aj↵

bi |

⌘✏n+1 .

(3.3.9)

30


• extended form [Mes02]: Messine introduces two extensions of a�neforms to increase the accuracy of even power of a�ne forms.

3.3.9 Definition (Extended Form)A Messine a�ne form is defined by

adef= ↵

a0+

nX

i=1

↵ai ✏i + ↵

an+1

[�1, 1] + ↵an+2

[0, 1] + ↵an+3

[�1, 0]

where, ↵a0, . . . ,↵

an are real numbers, and ↵

an+1

, ↵an+2

, ↵an+3

are positivereal numbers.

3.3.10 Definition (Quadratic Form)A quadratic form adds n new non-negative noise symbols to representexactly square noise symbols, ✏2i (= ✏i+n):

˘adef= ↵

a0+

nX

i=1

↵ai ✏i+↵

ai+n✏i+n+↵

a2n+1

[�1, 1]+↵a2n+2

[0, 1]+↵a2n+3

[�1, 0]

where, ↵a0, . . . ,↵

a2n are real numbers, and ↵

a2n+1

, ↵a2n+2

, ↵a2n+3

are pos-itive real numbers. The noise symbols {✏i+n}1in are constrained tohave their values within [0, 1].

The extra information recorded improves in general multiplication re-sults but increases significantly the complexity of operations. Themultiplication of two extended forms is detailed below. The mul-tiplication of two quadratic forms is similar, details can be foundin [Mes02].

a⇥ bdef= ↵

a0↵b0+

nX

i=1

(↵a0↵bi +↵

b0↵ai )✏i+K1[�1, 1]+K2[0, 1]+K3[�1, 0],

where

K1 = |↵a0|↵

bn+1

+ |↵b0|↵

an+1

+ ↵an+1

↵bn+1

+X

1i,jn+3

i 6=j

|↵ai↵

bj|,

K2 = K0

2+ ↵

an+2

↵bn+2

+ ↵an+3

↵bn+3

+X

1in↵ai ↵

bi�0

↵ai↵

bi ,

K3 = K0

3+

X

1in↵ai ↵

bi0

|↵ai↵

bi |,

31


where, in turn, K0

2and K

0

3are defined as follows

K0

2=

8>><

>>:

↵a0↵bn+2

+ ↵b0↵an+2

if ↵a0> 0 and ↵

b0> 0

↵a0↵bn+2� ↵

b0↵an+3

if ↵a0> 0 and ↵

b0< 0

�↵a0↵bn+3

+ ↵b0↵an+2

if ↵a0< 0 and ↵

b0> 0

�↵a0↵bn+3� ↵

b0↵an+3

if ↵a0< 0 and ↵

b0< 0

,

K0

3=

8>><

>>:

↵a0↵bn+3

+ ↵b0↵an+3

if ↵a0> 0 and ↵

b0> 0

↵a0↵bn+3� ↵

b0↵an+2

if ↵a0> 0 and ↵

b0< 0

�↵a0↵bn+2

+ ↵b0↵an+3

if ↵a0< 0 and ↵

b0> 0

�↵a0↵bn+2� ↵

b0↵an+2

if ↵a0< 0 and ↵

b0< 0

.

In the sequel, we discuss three di↵erent techniques of linearization: theminimax approximation, the min-range approximation and a Taylor-seriesbased technique, called Taylor1+.

Approximation Techniques

The standard a�ne arithmetic is non-closed under non-linear operations.Therefore, we seek an optimal (in a sense to define) a�ne form which ap-proximates the non-linear result. The issue here is di↵erent from the prob-lem of finding the narrower interval that encloses a given non-linear explicitreal function defined over Rn. Although we can use the techniques from thelatter rich field and adapt them to our purpose as very often, linearizingbefore computing an enclosing interval gives better results. Methods suchas the interval slope arithmetic [ZW90, Kol97], or interval derivative arith-metic [Kag86] together with the classical Taylor expansion are known in theliterature of reliable computing to give tight enclosure. These methods havebeen already applied to a�ne arithmetic to improve the range of a givenfunction [MK04a, MK04b]. We do not expand here these methods as ourpurpose is di↵erent from finding an interval enclosing a real valued function.We later give (Chapter 5) an example where the use of these techniques maylead to unsound results in the abstract interpretation framework.

The linear approximation of a function f over an interval i is the function

fl(x)

def= ⇣+↵x+e(x), where e(x) is the linearization error term. The error

term is a non-linear function of x. As we are targeting a linear approximant,we consider in the sequel that it is independent of x and replace the functione(x) by its image, which is an interval, denoted by e.

The linearization can be optimized such that the error interval e is mini-mal or such that the width of the image of f is minimal. The former is calledthe minimax approximation, also known as Chebyshev 3 approximation.

3or Tchebyche↵ or Tshebyshev.

32


The latter is called the min-range approximation (as defined in [dFS97]).In general, there is no unique linear optimum form that achieves at thesame time the minimax and min-range approximations (see the reciprocalfunction example below). In general, minimizing the error or the rangeof the linearized form is closely related to the underlying problem we areaddressing.

The Taylor approximation of first order is in general not optimal withrespect to both directions given above. However, by construction, it catchesthe main linear component of the function, which makes it convenient forthe evaluation of the future transformations of the function. Moreover, itscomputation is straightforward and can be easily automated. We exemplifythese techniques through the reciprocal function.

Let f denote the reciprocal function:

f : [a, b]! R

x 7!1

x

where a and b are two real numbers such that a > 0. The linear approxi-mation of f is f l where

fl(x) = ⇣ + ↵x+ [��, �] = ⇣ + ↵x+ �✏f ,

where the noise symbol ✏f is a fresh noise symbol used to encode the sym-metric interval [�1, 1]. It su�ces now to substitute x by its related a�neform to obtain an a�ne form that approximates the function f(x).

Min-range approximation To compute the min-range approximation,we need to compute ⇣, ↵ and � such that the interval

⇣ + ↵[a, b] + [��, �]

is equal to [1b ,1

a ]. Since, a > 0, then f(x) is a decreasing function. Therefore↵ 0. Thus

⇣ + ↵[a, b] + [��, �] = [⇣ + ↵b� �, ⇣ + ↵a+ �] = [1

b,1

a] .

The case ↵ = 0 is equivalent to IA: f(x) is over-approximated by the box[1b ,

1

a ]. Observe that here, we have infinitely many linear functions thatachieve the min-range approximation. All of them verify:

⇣ + ↵b� � =1

b

⇣ + ↵a+ � =1

a,

33


we pick up the one that tightly over-approximates f(x), that is such as ↵is equal to the derivative of f(x) on b (see Figure 3.2), which gives

↵ =�1

b2

⇣ =a

2b2+

1

2a+

1

b

� =a

2b2+

1

2a�

1

b

Taylor approximation The Taylor approximation of first order of a non-linear continuously di↵erentiable function defined over a bounded intervalis defined by: (a) its first order Taylor series computed in a point of thedomain of the function (this gives the linear part), plus (b) an intervalthat over-approximates the di↵erence of the function itself and its Taylordevelopment (this gives the error part). That is, if f is defined over thebounded interval [a, b], and c is an element of [a, b], then

fl(x) = f(c) + f

0(c)x+ e, where 8x 2 [a, b], f(x)� (f(c) + f0(c)x) 2 e .

The linear function obtained is a centered form (centered in c). It issound, that is f([a, b]) ✓ f

l([a, b]). Moreover, such centered form has aquadratic order of approximation [Han69, CM72], that is

w(f([a, b]))� w(f l([a, b])) = O((b� a)2),

where the function w([a, b])def= b�a denotes the width of the interval [a, b].

In general, the centered form obtained if c is the midpoint of the interval[a, b] does not lead to a minimal interval for f l. In fact, the center c thatleads to the optimum upper bound may be di↵erent from the one leadingto the optimum lower bound and both di↵erent from the midpoint [Bau88].However, the choice of the midpoint eases the computations and gives agood heuristic.

For the reciprocal function f , we obtain:

↵ =�4

(a+ b)2

� = �2b

(a+ b)2+

1

2a=

1

2a�

1a2

2b +b2+ a

⇣ =4

a+ b+ � =

1

2a+

2

a+ b+

1b2

2a +a2+ b

34


This approach is more precise than just considering the first order Taylorapproximation of the reciprocal function, and then over-approximating theerror term using Cauchy’s estimate 4 We call it Taylor1+ approximation asit is more precise than the first order approximation and less precise thanthe second order approximation.

Minimax approximation The computation of the minimax approxima-tion is ruled by the Chebyshev Alternation Theorem 5.

3.3.11 TheoremChebyshev Alternation Theorem [1854] A polynomial p of degree n isthe best approximant to f 2 C[a, b] (the set of continuous functionsdefined over the interval [a, b]) if and only if there exist (n + 2) pointsa t1 . . . tn+2 b such that

f(ti)� p(ti) = (�1)i�, |�| = supx2[a,b]|f(x)�p(x)|

,

i.e., if and only if the di↵erence f(x)�p(x) takes consecutively its max-imal value with alternating signs at least (n+ 2) times.

Theorem 3.3.11 is a su�cient condition for a given polynomial to beoptimum with respect to minimizing the maximum error introduced by thelinearization. There exists an iterative algorithm, called Remez (or Remes)algorithm [Rem34] that computes an optimum polynomial starting from aninitial set of points (usually Chebyshev nodes, that is xi = cos( (2i�1)⇡

2n ), i =1 . . . n+2 for a set of points in [�1, 1], linearly transformed if needed into anyinterval [a, b]). For instance, we can use the e�cient implementation [Boo]of the Remez algorithm to find first degree polynomials (seen as functionsof the Chebyshev space) that approximate f . This approximation is thebest with respect to the uniform norm.

In our simple case, we can establish geometrically the polynomial ofdegree 1 defined by ⇣ + ↵x, that interpolates the two points (a, 1

a) and

4Here, the Cauchy’s estimate, or uniform estimate, is M1

(b�a)2

8 , where M1 dominates

the absolute value of the second derivative of the reciprocal function, that is |1x

(2)|.

5detailed proof and further details on the use of Chebyshev approximation theory

can be found for instance in [E.W66, §6].

35


(b, 1b ), and which wraps closely the graph of the reciprocal function. Thus:

↵ =1

a �1

b

a� b

⇣ =1

2(1

a� ↵a� 2

p�↵)

We then compute the point x where the tangent has the same direction of⇣+↵x, we obtain

pab. We can verify that the hypothesis of Theorem 3.3.11

holds for x = a, x =pab, and x = b, and that

� = |�| = 2p�↵ + ⇣

3.3.12 Example (Numerical example)Let x 2 [1, 4], and x = 2.5 + 1.5✏0; then, for min-range approximation wehave ↵ = �0.0625, � = 0.28125, ⇣ = 0.78125, and

flmin range = 0.78125� 0.0625(2.5 + 1.5✏0) + 0.28125✏f

= 0.625� 0.09375✏0 + 0.28125✏f2 [0.25, 1]

For Taylor approximation, we have ↵ = �0.16, ⇣ = 0.98, � = 0.18, and

flTaylor = 0.98� 0.16(2.5 + 1.5✏0) + 0.18✏f

= 0.58� 0.24✏0 + 0.18✏f2 [0.16, 1]

For Chebyshev approximation, we have ↵ = �0.25, ⇣ = 1.125, � = 0.125,and

flminimax = 1.125� 0.25(2.5 + 1.5✏0) + 0.125✏f

= 0.5� 0.375✏0 + 0.125✏f2 [0, 1]

Figure 3.2 depicts these approximations. Observe that the joint range of(x, f l

minimax) wraps closely the graph (x, f(x)). However, the interval of

flminimax

, that is [0, 1] is not optimal. The optimal interval, [0.25, 1], is givenby f

lmin-range

, but the joint range of (x, f lmin-range

) wraps loosely the graph(x, f(x)).

36


x

f(x)

min-rangeTaylor 1st orderChebyshev

Figure 3.2: A�ne form approximations of the reciprocal function.

Perturbed A�ne Sets

The novelty of this domain introduced in [GP06], resides in the way it usesto encode relations between variables. While all prior attempts such asPolyhedra-like or Karr’s a�ne equalities abstract domains, keep and prop-agate explicit relations between variables, the a�ne forms-based abstractdomain keeps implicit relations between variables encoded by the sharednoise symbols (see Section 3.3).

The geometrical concretisations of such domain are zonotopes, which arecentral symmetric polytopes. Thus, the domain is strictly more expressivethan weakly relation domains such as octagons, it encodes perfectly linearequalities between variables, but is strictly less expressive than Polyhedradomain in general because of the symmetry of zonotopes. Thus, in term ofexpressiveness, it fills the gap between weakly relational domains and fullylinear relational domain as the linear templates polyhedra do. However,the a�ne sets domain is definitely more precise and more e�cient than allother domains whenever the program to analyze uses non-linear operations.

Zonotopes have an e�cient memory representation (set of vectors). Thecomplexity of arithmetic computations is almost linear with respect to thenumber of noise symbols used. Non linear operations can be precisely ande�ciently linearized as detailed in Section 3.3.

For the purpose of abstract interpretation, one needs to define two settheoretic operations, the join and the meet, over a�ne forms. Since theconvex hull of two zonotopes is not a zonotope, and so is the intersection

37


of two zonotopes, we have to compute a zonotope that encloses two givenzonotopes and the zonotope that encloses the intersection of two zonotopes.For this purpose, Goubault and Putot [GP08, GP09] have extended a�neforms.

We briefly describe in the sequel the a�ne forms-based abstract object,arithmetic operations over such abstract domain and finally set theoreticoperations.

A set of numerical variables V = {v1, . . . , vp} is abstract as follows:

3.3.13 DefinitionA perturbed a�ne set X is defined by

Xdef= (CX

, PX),

where CX is matrix with p lines and n+1 columns and P

X is a matrix withp lines and m columns. Elements of CX and P

X are real numbers.

Each variable vl in V is abstract by an a�ne form:

Xldef=

nX

i=0

CXl,i✏i

| {z }central part

+mX

j=1

PXl,j⌘

Xj

| {z }deviation

,

All noise symbols are unknown but within [�1, 1] except ✏0 which isequal to 1. The coe�cients of the a�ne form are the elements of the lthline of CX and P

X . The first element of the lth line of CX encodes theconstant of the a�ne form. Indeed the noise symbol ✏0 is equal to 1. Thesub a�ne form composed by the coe�cients of the lth line of CX is calledthe central part of the abstraction of the variable vi. The sub a�ne formcomposed by the coe�cient of the lth line of PX is called the perturbationpart.

The concretisation function � is defined as follows:

3.3.14 DefinitionGiven a perturbed a�ne set X, its geometrical concretisation is the setdefined by

�(X)def= {C

X✏+ P

X⌘X| (✏, ⌘X) 2 {1}⇥ [�1, 1]n+m

},

The geometrical concretisation is exactly the joint range of all numericalvariables. It can be seen as the Minkowski sum of two zonotopes, namelythe one having as generators the columns of CX and the one having as

38


generators the columns of PX . We recall that the Minkowski sum of twosets A and B is the set defined by

A+B = {a+ b | a 2 A, b 2 B} .

The noise symbols (✏1, . . . , ✏n) have a strict meaning, they encode thenon-deterministic input variables. They are strongly linked to these vari-ables. If one substitutes these noise symbols by any other dummy symbolbetween [�1, 1], the local joint range (zonotope) remains unchanged butthe relations to those input variables get lost. Moreover, the final invariant(which is encoded as a function of these central noise symbols) gives theinput/output relations of the program (functional analysis).

On the other hand, the perturbation noise symbols (⌘X1, . . . , ⌘

Xm) are

indexed by the X to enforce the fact that these noise symbols are notshared between all abstract objects. They are used to define an order overperturbed a�ne sets.

3.3.15 Definition (Order over Perturbed A�ne Sets)Given two Perturbed A�ne Sets X and Y , we say that X is lesser than or

equal to Y , if and only if

8t 2 Rp, k(CX

� CY )tk1 kP

Ytk1 � kP

Xtk1 .

The order defined above is stronger than the geometrical order. Thegeometrical order, �(X) ✓ �(Y ), does not respect the semantics of thecentral noise symbols. Indeed, computing a zonotope that encloses thezonotopes �(X) and �(Y ), without any other consideration, loses definitelythe relations to central noise symbols. These relations that we need preciselyto keep.

As established in [GP09], the order over Perturbed A�ne Sets impliesthe geometrical order.

3.3.16 PropositionX Y =) �(X) ✓ �(Y ).

So far this a�ne forms based abstract domain ignore tests, our work isan attempt to address this limitation.

Arithmetic operations over perturbed a�ne sets rely on a�ne arithmetic(see Section 3.3). The definitions are exposed in detail in Chapter 5.

39


3.4 Combining Abstract Domains

The direct product of two or more abstract domains is equivalent to per-forming the analysis separately with each abstract domain. This approachdoes not combine the expressiveness power of the abstract domains in use,and hence does not improve the final result.

We briefly recall hereafter two di↵erent generic approaches designed toimprove the precision of the analysis by sharing the information found byone domain in order to improve the result given by the other domain. Theexchange of information is done dynamically during the analysis. Theoreti-cally, these interleaves are strictly more expressive than each domain takenalone (as in direct product), nevertheless, in practice these approaches areeither limited theoretically or need an extra e↵ort to handle the exchangeof information.

Reduced Product

If D[ is a concrete domain abstracted by two abstract domains D

]1and

D]2, then the concretisation function �1⇥2 : (D]

1, D

]2) ! D

[, of the reducedproduct (D]

1, D

]2) is defined by the meet in D

[ of the concretisations of D]1

and D]2:

�1⇥2(X]1, X

]2)

def= �1(X

]1) \[ �2(X

]2) .

To propagate the conjunction of properties in the concrete domain given by�1⇥2, we need to abstract again the object �1⇥2(X

]1, X

]2), using the abstrac-

tion functions ↵1 and ↵2 of the abstract domains D]1and D

]2respectively

:↵1⇥2(X

[) = (↵1(X[),↵2(X

[)) .

The way used to share the information between both abstract domainsrelies on the concretisation of the abstract objects. It is formalized usinga so called reduction operator ⇢ : (D]

1, D

]2) ! (D]

1, D

]2), defined by the

combination of �1⇥2 and ↵1⇥2:

⇢ = ↵1⇥2 � �1⇥2 .

The reduction operator relies then on the abstraction functions of the ab-stract domains D]

1and D

]2. These functions are in practice seldom available

which prevents the immediate use of the generic previous definition of ⇢.Instead, we may define local partial reduction specific to the transfer func-tion: for instance, the evaluation of a non-linear expression relies very oftenon the ranges of variables. We could use the intervals lattice to record

40

3.4. Combining Abstract Domains

such information, then use those ranges for a better linearization of theexpression.

Logical Product

The logical product of abstract domains [GT06] combines the abstract do-mains in a way strictly more expressive than what we have seen in reducedproduct. The approach is based on the classic Nelson-Oppen methodol-ogy [NO79] for combining decision procedure.

Unlike the reduced product which requires in practice to define partialreductions specific to the abstract domains and even to transfer functions,the logical product can be build upon the native operators of the underlyingabstract domains. Nevertheless, for an e�cient combination (in a polyno-mial time), hard restrictions have to be verified by the theories upon whichwe build the underlying abstract domains. Namely these theories have tobe convex, stably infinite and disjoint.

A theory consists of a signature, which is a set of symbols (predicatesand functions), and a set of axioms which defines the semantics of thesignature of that theory. An atomic fact of a theory is the simplest pos-sible predicate over that theory, that is, one can no more decompose itinto a conjunction of predicates of the same theory. A logical lattice isderived from a theory if and only if, its objects are all finite conjunctionsof atomic facts and its partial order is the logic implication relationship inthat theory. For instance, the signature of the theory of sign is defined by{=, positive, negative,+,�, 0, 1}, where positive and negative are unarypredicates, + and � are binary functions, and 0 and 1 are constants; thesignature of the linear arithmetic theory is {=,,+,�, 0, 1}. The set ofaxioms of the linear arithmetic theory includes all the known rules such asx y ^ y = z =) x z.

Any abstract domain can be seen as a logical lattice. For instance, thepolyhedra abstract domain is the logical lattice based upon the theory oflinear arithmetic, whereas the a�ne sets abstract domain is the logical lat-tice based on the theory of linear arithmetic with only the equality symbol.

A theory is said to be convex if any conjunction of equalities implies nec-essarily that one equality holds. A theory is stably infinite if any quantifiedfree property satisfied in that theory is also satisfied in any infinite modelof that theory. Two theories are disjoint if and only if their signatures aredisjoint except for the equality symbol.

Combining two theories with respect to Nelson-Oppen method requiresthe definition of three generic procedures over both theories. Using theterminology of [GT06], these procedures are as follows:

41


• a procedure that recognizes the terms that combine atomic facts fromboth theories, often called alien terms as they are not pure terms ofone theory,

• a procedure that purifies a given alien terms: this is usually done byadding new variables,

• and finally a saturation procedure that takes two conjunctions of pureterms of both theories, then keeps exchanging all equalities betweenthese conjunctions until no more new equality can be derived.

The saturation procedure is actually the one that permits the exchangeof information between both theories. Since an expression can contain alienterms, the two other procedures are used to extract and purify these alienterms. Now that we have saturated pure terms, we can use the nativeabstract transfer operators relative to the underlying abstract domain.

The restrictions on theories, that is the convexity, the stable infinitenessand the disjointness, limit in practice the use of the generic approach. Nev-ertheless, one can always define a logical product of two logical lattices, ofcourse without using the straightforward use of Nelson-Oppen methodology.

In this thesis, we introduce and formalize a logical product of the per-turbed a�ne sets domain and any other (convex) abstract domain. Wekeep the terminology ”logical product” even if the underlying theories arenot disjoint.

42

CHAPTER 4Constrained A�ne Sets

We introduce a new a�ne sets-based abstract domain which extends andgeneralizes an already existing a�ne sets-based abstract domain [GP06,GP08, GP09], (A1,?1,>1,1,[1). The expressiveness of such new domainis enhanced thanks to its ability to encode and propagate relations amongthe noise symbols. These relations, or constraints, over noise symbols en-code the domain where the symbols range. The domain is abstracted usingan abstract domain (A2,?2,>2,2,[2,\2).

We define a special logical product-like combination of the abstract do-mains A1 and A2, denoted by A1⇥2. The variables abstracted in A1 are thenumerical variables of the program to analyze, whereas the variables ab-stracted in A2 are the noise symbols used to keep implicit linear relationsbetween the program variables. Thus, we do not use two di↵erent abstractdomains to abstract the same set of variables, as in reduced product ofabstract domains [CC79] or logical product of abstract domains [GT06].Moreover, the information shared between A1 and A2 is as expressive asthe information shared in the logical product of abstract domains, for in-stance the equality constraints are propagated between the two domains inan intricate manner (this is not just a reduction operation).

4.1 Introduction

Despite their ability of keeping (linear and implicit) relations between vari-ables, and their simple memory representation, the a�ne forms are notclosed under set theoretic operations: the intersection and the join. A�nesets are not closed under set theoretic operations. Indeed, the join and theintersection of two zonotopes is not a zonotope in general.

43

4. Constrained Affine Sets

In this chapter, we introduce informally the way we interpret the meetoperations on zonotopes that arise from the if-then-else statements. Wherethe previously defined Perturbation A�ne Sets abstract domain proposes ajoin operation, it ignores tests (which is sound). We come up with an elegantway to express and propagate these tests, then extend the join operatorsof [GP08, GP09] to our newly defined domain.

Consider the simple code below extracted from an implementation ofquadratic interpolation function.

beginx = [-1,1]; if (x <= 0)À theny = x*x + x; Ã

endif œend

At control point , we first convert the interval [�1, 1] into an a�neform, denoted a, by adding a new noise symbol ✏ known to be within[�1, 1]:

x 2 [�1, 1]becomes�! a = ✏ , ✏ 2 [�1, 1],

If one ignores the test (x <= 0), at control point Ã we obtain for y thea�ne form 0.5 + ✏ + 0.5✏À, where ✏À is a new noise symbol introduced tolinearize the non-linear expression x

2 + x (see Chapter 5 for the abstractevaluation of expressions). Thus we conclude that, in the if branch, thevariable y is within the interval [�1, 2]. In this example, the reduced prod-uct with boxes, to interpret the test x <= 0, improves slightly this result.Indeed, the interval analysis gives for y, [�1, 0]⇥ [�1, 0]+[�1, 0], and hencethe final interval is [�1, 1].

However, if we use the information ✏ 0, implied by the test, thelinearization of x2 using centered forms (discussed and formalized in Sec-tion 5.1), gives �0.125 � ✏ + 0.125✏À, and thus the a�ne form related toy is �0.125 + 0.125✏À. This gives the box [�0.25, 0], which is exactly theimage of the interval [�1, 0] through the non-linear function x

2 + x.Our main idea is to transfer the constraint from the variables’ world to

the noise symbols’ world by substituting each variable by its correspondinga�ne form. Such a constraint is then kept and used in all incoming non-linear computations including the join of two a�ne sets. For instance, in theabove example, the test x <= 0, where x is abstracted by a, is interpretedby the constraint ✏ 0. Observe that the a�ne form a is left unchanged,which permits the normal use of a�ne arithmetic.

The abstract object of interest in our domain is then a conjunction of

44

4.2. Constrained A�ne Sets

constraints, either linear or non-linear, expressed in the abstract domain ofthe noise symbols and a set of a�ne forms, one per variable. Typically, inour example, the abstract value at control point Ã is

8<

:

�1 ✏ 0 ^ �1 ✏À 1a = ✏

b = �0.125� ✏ + 0.125✏À

where b is the a�ne form that abstracts the variable y.In the next section, we formalize these abstract objects.

4.2 Constrained A�ne Sets

Let Vdef= {v1, . . . , vp} denotes the finite set of numerical variables of the

program to analyze.

Representation

4.2.1 DefinitionA constrained a�ne set X is represented by a tuple

Xdef=

�C

X, P

X,�X

�,

where CX is a real matrix with p lines and n + 1 columns, P

X is a realmatrix with p lines and m columns, and �X is an abstract element of A2;n and m are finite integers. The set of constrained a�ne sets is denoted byA1⇥2.

The dimension p < +1 is the cardinality of V , the set of numerical vari-ables. The object X represents the abstraction of these numerical variablesat a control point of the program. Each numerical variable, is abstracted bythe a�ne form given by the lth line (1 l p) of CX and P

X , as follows:

xldef=

nX

i=0

CXl,i✏i

| {z }central part

+mX

j=1

PXl,j⌘

Xj

| {z }deviation

,

where CXl,i , 1 l p, 0 i n, denotes the (l, i) coe�cient of matrix C

X .Notice that we use zero for the first index of the columns of matrix C

X .Likewise, PX

l,i , 1 l p, 1 i m, denotes the (l, i) coe�cient of matrixP

X .

45


✏1

⌘1

✏0 = 1 �X✏

�X⌘ (!)

!

1

1

Figure 4.1: The sets �X✏ and �X

⌘ (!), where the polygon represents theconcretisation of �X (n = 1,m = 1).

The symbol ✏0, equal to one, encodes constants 1. The vector of central

noise symbols is denoted by ✏def= (✏0, ✏1, . . . , ✏n)⇤, these symbols have a

strict semantics, they are related to the inputs of the program. One cannotsubstitute them by other symbols because they are not free variables. Theyencode the non-determinism of the inputs. The vector of deviation noisesymbols (⌘X

1, . . . , ⌘

Xm)⇤ is denoted by ⌘

X . We add explicitly the upper indexX on ⌘ to stress the fact that these noise symbols are local noise symbolsrelated to the abstract object X and are not shared with other abstractobjects. They do not have any particular meaning as ✏i, 0 i n, do.They are dummy symbols (free variables) used to encode the generators ofthe deviation part.

The vector ✏ augmented by the vector ⌘X ranges over the concretisationof �X , that is �2(�X), subset of 1 ⇥ Rn+m, where �2 denotes the concreti-sation function of the abstract domain A2. We denote by �X

✏ ✓ 1⇥Rn theprojection of �2(�X) over the n+ 1 first coordinates of 1⇥ Rn+m.

For a fixed ! 2 �X✏ , �

X⌘ (!) ✓ Rm, denotes the section obtained by the

intersection of the hyperplane ✏ = ! and �2(�X):

�X⌘ (!)

def= {⌘

X| (!, ⌘X) 2 �2(�

X)} .

Figure 4.1 depicts �X✏ and a section �X

⌘ (!) for an arbitrary ! 2 �X✏ .

1equivalent to the variable v0 in the octagons abstract domain [Min06a]

46


Concretisation Function4.2.2 DefinitionThe concretisation function of the abstract domain A1⇥2 is defined by,

�1⇥2(X)def= {C

X✏+ P

X⌘X| (✏, ⌘X) 2 �2(�

X)} .

In general, as in the example 4.2.3, the concretisation of a constraineda�ne set is not a zonotope (which is the case of any perturbed a�ne set).

4.2.3 ExampleSuppose that V = {v1, v2}. Let A2 be the polyhedra abstract domain, and

let p = n = m = 2. The figure 4.2 depicts the concretisation of X, whereX is defined as follows

Xdef=

⇣✓ 1 1�1 2

◆

| {z }CX

,

✓1 10 1

◆

| {z }PX

,�X⌘,

and �X is the conjunction of the following constraints

✏0 = 1 ^ �1 +4

3✏1 +

4

3⌘X1� 0 ^ 2✏1 � 1⌘X

1� 0 ^

3

2� ✏1 � ⌘

X1� 0

^ �✏1 + 2⌘X1� 0 ^

1

2+ ⌘

X2� 0 ^

1

2� ⌘

X2� 0 .

The polytope given by the conjunction of the first four constraints is thepolytope depicted in Figure 4.1 (which has four facets), the conjunction ofthe last two constraints involves only ⌘

X2

and is simply the interval [�1

2,1

2]

for ⌘X2.

Intervals Conversions

From a constrained a�ne set to a box The interval concretisation ofthe lth numerical variable of X, 1 l p, is the projection of �1⇥2(X) onits lth dimension. The final box is the product of all these projections.

From a box to a constrained a�ne set Usually, intervals are usefulat the beginning of the analysis, non-deterministic inputs of the program(for instance environment related variables) are often unknown but withinintervals. The conversion given here is related to the input variables andthus updates only the central part CX because of the particular semantics

47


v1

v2

1

1

Figure 4.2: The concretisation of the constrained a�ne set given in Exam-ple 4.2.3.

of noise symbols, the perturbation matrix PX is set to zero. After the

conversion we have as many noise symbols as non-deterministic numericalvariables.

Consider a bounded interval [d1, d2], d1 d2 < +1, then its relateda�ne form is

mid([d1, d2]) + dev([d1, d2])✏f ,

where ✏f is a fresh input noise symbol known to be within [�1, 1]. Theseconstraints on ✏f are added to the abstract object �X by computing theimage of �X through J�✏l 1^ ✏l 1K]

2, that is the abstraction of the test

transfer function in the abstract domain A2.The a�ne form related to an unbounded interval is simply ✏f , without

any constraint on ✏f . Indeed, we identify the variable to a fresh inputnoise symbol ✏f initialized to >2, and keep track of the finite bound of theinterval as a constraint over the noise symbol freshly added. Therefore,for a left-bounded interval [a,+1], a < +1, we compute the image of�X through J�✏f �aK]2. Similar transformation is done if the intervalis right-bounded. Obviously, for the interval [�1,+1], the freshly addednoise symbol is unconstrained and remains equal to its initial value, that is>2.

We summarize the five possible cases in the following example.

4.2.4 ExampleLet V = {v1, v2, v3, v4, v5} be the set of numerical variables known to berespectively within

[�1,+1]⇥ [a,+1]⇥ [�1, b]⇥ [d1, d2]⇥ [c, c] .

48


The constrained a�ne set related is then:

CX =

0

BBBB@

0 1 0 0 0 00 0 1 0 0 00 0 0 1 0 0

mid([d1, d2]) 0 0 0 dev([d1, d2]) 0c 0 0 0 0 0

1

CCCCA

PX = 0

�X = J✏0 = 1 ^ �✏2 �a ^ ✏3 b ^ �1 ✏4 1 ^ �1 ✏5 1K]2>2 .

Order over Constrained A�ne Sets

We provide the constrained a�ne sets with an order relation. Whenever itis satisfied, the order relation should preserve all the information kept inone constrained a�ne set, so that using the “bigger” one guarantees thesafety of all future computations.

4.2.5 DefinitionLet X = (CX

, PX,�X) and Y = (CY

, PY,�Y ) be two constrained a�ne

sets. We say that X is less than or equal to Y , denoted by X 1⇥2 Y , ifand only if �X

✏ ✓ �Y✏ , and

8! 2 �X✏ , 8⇣

X2 �X

⌘ (!), 9⇣Y2 �Y

⌘ (!) CX! + P

X⇣X = C

Y! + P

Y⇣Y.

What the definition says is that for every possible input, encoded by !, weare able to recover each reached value in X, that is CX

!+PX⇣X , using the

same input ! and a di↵erent possible perturbation ⇣Y . Observe that the

order requires only the inclusion of the input noise symbols �X✏ ✓ �

Y✏ . This

restriction denotes the fact that the input noise symbols are shared betweenabstract objects (which is not the case of perturbation noise symbols). Theorder respects this semantics and ensures that the set of values taken bythese symbols in Y , that is �Y

✏ , contains the one of X, that is �X✏ . The

binary relation order 1⇥2 is a pre-order over A1⇥2.

4.2.6 PropositionThe binary relation 1⇥2 in Definition 4.2.5 is a pre-order. The equivalence

relation ⇠ (X ⇠ Y if and only if X 1⇥2 Y and Y 1⇥2 X) is characterizedby �X

✏ = �Y✏ and C

X!+P

X�X⌘ (!) = C

Y!+P

Y�Y⌘ (!) for all ! in �X

✏ (setsequality). For the sake of simplicity, we also denote by 1⇥2 the pre-order1⇥2 quotiented by its equivalence relation ⇠.

49


Proof. Reflexivity. X 1⇥2 X. Indeed �X✏ ✓ �

X✏ , and, for all ! 2 �X

✏ , forall ⇣X 2 �X

⌘ (!), we have CX! + P

X⇣X = C

X! + P

X⇣X .

Transitivity. X 1⇥2 Y and Y 1⇥2 Z imply X 1⇥2 Z. Indeed, �X✏ ✓

�Y✏ and �Y

✏ ✓ �Z✏ ample �X

✏ ✓ �Z✏ . Moreover, for all ! 2 �X

✏ , for all ⇣X 2�X

⌘ (!), there exists ⇣Y2 �Y

⌘ (!) such that CX!+P

X⇣X = C

Y!+P

Y⇣Y . For

that ⇣Y , there exists, ⇣Z 2 �Z⌘ (!), such that CY

! + PY⇣Y = C

Z! + P

Z⇣Z,

which makes CX! + P

X⇣X = C

Z! + P

Z⇣Z.

The partial order 1⇥2 is not equivalent to the geometrical order, sinceour ✏ noise symbols have a strict semantics that should be respected by theorder. The geometrical order is however a necessary (but not su�cient)condition of this order.

4.2.7 PropositionThe concretisation function �1⇥2 is a monotonic operator: given two con-

strained a�ne sets X = (CX, P

X,�X) and Y = (CY

, PY,�Y ), we have

X 1⇥2 Y =) �1⇥2(X) �1⇥2(Y ) .

Proof. Let x be an element of �1⇥2(X), we prove that x 2 �1⇥2(Y ) underthe hypothesis X 1⇥2 Y . Since x 2 �1⇥2(X), then there exists ! 2 �X

✏

and ⇣X2 �X

⌘ [✏ = !], such that x = CX! + P

X⇣X . Therefore, there exists

⇣Y2 �Y

⌘ [✏ = !], such that x = CX! + P

X⇣X = C

Y! + P

Y⇣Y2 �1⇥2(Y ).

For instance, if A2 is the lattice of intervals, then X 1⇥2 Y if and onlyif �X

✏ ✓ �Y✏ and (CX

� CY )�X

✏ + PX�X

⌘ ✓ PY�Y

⌘ .The geometrical order does not imply in general the order 1⇥2. Exam-

ple 4.2.8 gives a counter example, where X ⇥1⇥2 Y and �1⇥2(X) �1⇥2(Y ).

4.2.8 Example

X =⇣✓1 0

1 0

◆,

✓�0.25 10.25 0

◆, 1⇥ [�1, 1]3

⌘

Y =⇣✓1 �0.25

1 0.25

◆,

✓0.5 0.5�0.5 0.5

◆, 1⇥ [�1, 1]3

⌘

Figure 4.3 depicts the zonotopes �1⇥2(X) and �1⇥2(Y ), one can see that theinclusion holds. Figure 4.4 depicts the zonotopes (CX

� CY )�X

✏ + PX�X

⌘

50

4.3. Special Case: Non Relational Constraints

v1

v2

Figure 4.3: �1⇥2(X) ✓ �1⇥2(Y ).

v1

v2

Figure 4.4: (CX�C

Y )�X✏ +P

X�X⌘ *

PY�Y

⌘ (lozenge).

and PY�Y

⌘ , the former is not included in the latter. That is, there exists! 2 1 ⇥ [�1, 1] and ⇣

X2 [�1, 1]2, such that for all ⇣Y 2 [�1, 1]2, CX

! +P

X⇣X6= C

Y! + P

Y⇣Y . Indeed, every pair (!, ⇣X) that leads to a point

outside the lozenge, for instance ! = (1, 1) and ⇣X = (�1, 1), violates the

needed equality. Hence according to definition 4.2.5, X ⇥1⇥2 Y .

So far we have defined a poset (A1⇥2,1⇥2), elements of which are givenin Definition 4.2.1. The next section focuses on a special case: the abstrac-tion of noise symbols with intervals. This particular case is useful for thejoin operation over constrained a�ne sets.

4.3 Special Case: Non RelationalConstraints

All over this section, A2 is the lattice of intervals. In Section 4.3 we reformu-late the partial order (Definition 4.2.5) using the support function (recalledhereafter). Then, we give a special representative of the equivalence classesdefined by the ⇠ relation, called symmetric representative (Section 4.3).Section 4.3 discusses the decidability of 1⇥2. These definitions and re-formulations are the basic ingredients needed to define and compute joinoperators over constrained a�ne sets (CAS).

Partial Order and Support Function

We first reformulate the partial order 1⇥2 over CAS (Definition 4.2.5)transforming the sets inclusion into a function comparison, namely compar-ison of the support function of convex sets (see hereafter Definition 4.3.1).

51


This classical convex function, o↵ers a suitable and powerful tool for theupcoming computations.

4.3.1 Definition (The support function)Let C be a non-empty convex set of Rn. Let t be an element of Rn then� : Rn

! R is defined by:

�(t | C)def= sup

�ht, xi | x 2 C

,

where h·, ·i denotes the usual scalar product over Rn.

The inclusion of two convex sets is equivalent to the comparison of thesupport functions related to these convex sets [Roc70, Corollary 13.1.1].

4.3.2 PropositionFor closed convex sets C1 and C2 in Rn, one has C1 ✓ C2 if and only if�(· | C1) �(· | C2).

In general, given two CAS, the cardinality of the perturbation symbols isnot necessarily the same. Nevertheless, we can suppose that it is alwaysthe case, without loss of generality, by completing either PX or P Y by nullcolumns. Let m denote such cardinality.

For a given CAS, X, the sets �X✏ and �X

⌘ are now two hypercubes.Moreover, the set �X

⌘ (!), for a given ! in �X✏ , is independent from ! and

is equal to �X⌘ for all !. Thus, the concretisation function �1⇥2 (see Def-

inition 4.2.2) of a CAS X can be seen as the Minkowski sum of two sets,namely C

X�X✏ and P

X�X⌘ .

The order 1⇥2 can be stated with respect to the support function.

4.3.3 LemmaGiven two CAS X and Y , we have X 1⇥2 Y if and only if �X

✏ ✓ �Y✏ and

8t 2 Rp, �(t | (CX

� CY )�X

✏ ) �(t | P Y�Y⌘ )� �(t | PX�X

⌘ ) .

Proof. All we need to prove is the fact that the inequality written using thesupport function is equivalent to the sets inclusion

8! 2 �X✏ , C

X! + P

X�X⌘ ✓ C

Y! + P

Y�Y⌘ ,

given by the definition of the order (Definition 4.2.5). Using Proposi-tion 4.3.2, for a fixed ! 2 �X

✏ , the sets inclusion is equivalent to

8t 2 Rp, �(t | CX

! + PX�X

⌘ ) �(t | CY! + P

Y�Y⌘ ) .

52


However, the support function of the Minkowski sum of two sets is equalto the sum of the support functions over each set (see Remark 2 of theAppendix), thus

�(t | CX!+P

X�X⌘ ) = �(t | CX

!)+�(t | PX�X⌘ ) = ht, C

X!i+�(t | PX�X

⌘ ) .

This makes

8t 2 Rp, ht, C

X!i+ �(t | PX�X

⌘ ) ht, CY!i+ �(t | P Y�Y

⌘ )

or equivalently

8t 2 Rp, ht, (CX

� CY )!i �(t | P Y�Y

⌘ )� �(t | PX�X⌘ ) .

The above inequality is satisfied for all ! 2 �X✏ , then by definition of the

support function

8t 2 Rp, �(t | (CX

� CY )�X

✏ ) �(t | P Y�Y⌘ )� �(t | PX�X

⌘ ) ,

which ends the proof.

Symmetric Representative

The formulation of the order using the support function allows a charac-terization of a particular representation of the equivalence class of a givenconstrained a�ne set.

We bind each perturbation noise symbol to a coordinate and consider,as said earlier, that all CAS have the same number of perturbation noisesymbols m. Let X = (CX

, PX,�X), and Y = (CY

, PY,�Y ) be two CAS,

and let (AX, b

X) (resp. (AY, b

Y )) be the a�ne map that transforms the unitball with respect to the uniform norm of dimension m, B, into �X

⌘ (resp.�Y

⌘ ). Such a map is in fact unique up to the permutation of the columns ofmatrices AX and A

Y .

4.3.4 Definition (Symmetric Representative)Let X = (CX

, PX,�X) be a CAS. The symmetric representative of X is

defined by

(C, P,�)def= (((bX + C

X(·,0))C

X(·,1) . . . C

X(·,n)), P

XA

X,�X

✏ ⇥B) .

The first column of matrix C is the sum of vector bX and the first column

of matrix CX . The remaining columns of C are equal to the ones of CX .

Matrix P is the product of matrices PX and A

X . The intervals of theperturbation noise symbols are all set to [�1, 1].

53


The proposition below characterizes the equivalence classes related tothe binary relation ⇠.

4.3.5 PropositionLet X = (CX

, PX,�X), and Y = (CY

, PY,�Y ) be two CAS, and let

(AX, b

X) (resp. (AY, b

Y )) be the a�ne map that transforms the unit ballwith respect to the uniform norm, B, into �X

⌘ (resp. �Y⌘ ). If:

�X✏ = �Y

✏ , (sets equality)

CXi,j = C

Yi,j, 1 i p, 1 j n

bX + L

CX

0= b

Y + LCY

0,

PXA

XB = PYA

YB, (sets equality)

then X ⇠ Y .

Proof. We prove that X 1⇥2 Y and Y 1⇥2 X. Let t 2 Rp. By definitionof CX and C

Y , matrix CX� C

Y is null everywhere except its first columnwhich is equal to P

YbY�P

XbX . Therefore, (CX

�CY )�X

✏ = {PYbY�P

XbX}

(recall that ✏0 = 1). We then have

�(t | (CX� C

Y )�X✏ ) = hP

YbY� P

XbX, ti .

On the other hand, by hypothesis, (AX, b

X) transforms the unit ball B, into�X

⌘ , which gives �X⌘ = b

X +AXB. Similarly, �Y

⌘ = bY +A

YB. Therefore,

�(t | PX�X⌘ ) = hP

XbX, ti+ �(t | PX

AXB),

�(t | P Y�Y⌘ ) = hP

YbY, ti+ �(t | P Y

AYB), .

We have PXA

XB = PYA

YB, thus �(t | PXA

XB) = �(t | P YA

YB). Now,

�(t | (CX� C

Y )�✏) = hPYbY� P

XbX, ti

= hP YbY, ti � hP

XbX, ti

= �(t | P Y�Y⌘ )� �(t | PX�X

⌘ ) .

The equality

�(t | (CX� C

Y )�✏) = �(t | P Y�Y⌘ )� �(t | PX�X

⌘ ),

together with �X✏ = �Y

✏ , makes X 1⇥2 Y and Y 1⇥2 X. Thus, X ⇠ Y .

54


Using this equivalence, we prove the equivalence of a given constraineda�ne set X and its particular representative introduced in Definition 4.3.4.This representative is convenient as its perturbation set is a symmetricconvex set (C = �C).

4.3.6 CorollaryLet X = (CX

, PX,�X) be a CAS, let Y denote its symmetric representative

as defined in Definition 4.3.4, then X ⇠ Y .

Proof. We check that the CAS X and its symmetric representative Y sat-isfy proposition 4.3.5. Indeed, �X

✏ = �Y✏ , and by definition of Y ,

PY = A

XP

X (4.3.1)

�Y⌘ = B (4.3.2)

LCY

0= b

X + LCX

0(4.3.3)

CXi,j = C

Yi,j, 1 i p, 1 j n . (4.3.4)

It remains to check that ı) bY +LCY

0= b

X+LCX

0and ıı) PX

AXB = P

YA

YB.We start with ı). Equation 4.3.2 makes bY = 0 and A

Y equal to the identitymatrix. Since b

Y = 0, and using equation (4.3.3), we obtain

bY + L

CY

0= 0 + b

X + LCX

0= b

X + LCX

0.

We now check ıı). By equation 4.3.1, and using again the fact that bY = 0and A

Y is the identity matrix, we obtain

PXA

XB = PYB = P

YA

YB .

If not mentioned otherwise, any CAS is represented by its related sym-metric representative. As the boxes of all perturbation noise symbols areequal to [�1, 1], we use �X

✏ instead of �X .Notice that using the formulation of the order with symmetric represen-

tatives, both CX� C

Y or CY� C

X can be used indi↵erently. Moreover,the set �X

✏ can be extended, without loss of generality, to the convex com-bination of boxes �X

✏ and ��X✏ , which is a symmetric convex set, namely

an origin-centered zonotope.We introduce the primitive bound2 : A1 ⇥ A2 ! I, which bounds the

expression (given in its first argument) with respect to the abstract object� (given in its second argument). Such a primitive is usually provided innumerical abstract domains, at least whenever the expression to be boundedis linear.

55



, PX,�X

✏ ) and Y = (CY, P

Y,�Y

✏ ) be two CAS (in their sym-metric representations). Let n denote the number of input noise symbols,and ✏Xj = bound2(✏Xi ,�

X✏ ), then X 1⇥2 Y if and only if �X

✏ ✓ �Y✏ and,

8t 2 Rp, �(t | (CX

� CY )MX⇤

B) �(t | P YB)� �(t | PXB),

where the square matrix MX of dimension (n+ 1)⇥ (n+ 1) is defined by

8i, j 2 {1, . . . , n+ 1},

MXij =

8>><

>>:

1 if i = j = 1,mid(✏Xj ) if i = 1 and 1 < j n,

dev(✏Xj ) if 1 < i, j n and i = j and dev(✏Xj ) 6= 0,0 otherwise.

In words, the upper left corner of MX is 1, the centers of the intervals ✏Xjare on the first line, and their deviations on the diagonal of MX .

Proof. Let X = (CX, P

X,�X

✏ ) and Y = (CY, P

Y,�Y

✏ ) be two CAS suchthat X 1⇥2 Y . According to the definition of the order, and the definitionof the symmetric representative, one has for all t 2 Rp

�(t | (CX� C

Y )�X✏ ) �(t | P YB)� �(t | PXB),

which gives for �t

�(�t | (CX� C

Y )�X✏ ) �(�t | P YB)� �(�t | PXB),

or equivalently

�(t | (CY� C

X)�X✏ ) �(t | �P YB)� �(t | �PXB) .

The sets PXB and PYB are symmetric, thus �PXB = P

XB and similarly�P

YB = PYB. Therefore,

�(t | (CY� C

X)�X✏ ) �(t | P YB)� �(t | PXB) .

Now, if (✏0, . . . , ✏n) 2 �X✏ ⇢ 1⇥ Rn, we want to prove that the inequality

�(t | (CX� C

Y )�X✏ ) �(t | P YB)� �(t | PXB),

remains valid if ✏0 lies within [�1, 1] instead of being constrained to be equalto 1.

56


Suppose that the set obtained when we consider ✏0 to be within [�1, 1]is exactly the convex combination of (CX

� CY )�X

✏ and (CY� C

X)�X✏

(by definition, the convex combination of two sets C1 and C2 is the set�C1 + (1� �)C2, where � ranges over [0, 1].), then the result is immediateby summing up the two inequalities

�(t | �(CX� C

Y )�X✏ ) �(�(t | P YB)� �(t | PXB))

�(t | (1� �)(CY� C

X)�X✏ ) (1� �)(�(t | P YB)� �(t | PXB))

Now let’s prove that the convex combination of (CX�C

Y )�X✏ and (CY

�

CX)�X

✏ is the set obtained when we consider ✏0 to be within [�1, 1].By definition the convex combination of (CX

�CY )�X

✏ and (CY�C

X)�X✏

is equal to �(CX� C

Y )�X✏ + (1� �)((CY

� CX)�X

✏ ), where � ranges over[0, 1]. Let g0 and (g1, . . . , gn) be respectively the center and the generators’list of the zonotope (CX

� CY )�X

✏ :

(CX� C

Y )�X✏ = {g0 +

nX

i=1

gi�i | 8i, �i 2 [�1, 1]}

Therefore, �g0 and (g1, . . . , gn) are respectively the center and the genera-tors’ list of the zonotope (CY

� CX)�X

✏ .We then deduce that 0 and (g0, g1, . . . , gn) are respectively the center and

the generators’ list of the convex combination of (CX�C

Y )�X✏ and (CY

�

CX)�X

✏ . Indeed, any element of such convex combination can be written as�u+(1��)v, where � 2 [0, 1], u = g0+

Pni=1

gi�ui and v = �g0+

Pni=1

gi�vi ,

�ui , �

vi 2 [�1, 1]. Thus, �u+ (1� �)v = (�1 + 2�)g0 +

Pni=1

gi(��ui + (1�

�)�vi ), where (�1 + 2�) 2 [�1, 1] and for all i, (��u

i + (1� �)�vi ) 2 [�1, 1].

The zonotope spanned by (g0, g1, . . . , gn) (which is a symmetric convexset) is the one obtained by M

X⇤B. Indeed, the first generator g0 is defined

by (1, dev(✏X1 ), . . . , dev(✏Xn ))⇤, and the other generators gi, 1 i n, aredefined by (0, . . . , dev(✏Xi ), . . . )⇤, 1 i n. Therefore,

�(t | (CX� C

Y )MX⇤B) �(t | P YB)� �(t | PXB),

The final step, that is moving matrix MX from “right to left” in the

support function by applying the transpose operator (one has MX⇤⇤= M

X)is a direct consequence of Proposition A.0.5.

4.3.8 ExampleIf �X

✏ = 1⇥ [�1, 0]⇥ [0, 0.5] (n = 2), then

MX =

0

@1 �0.5 0.250 0.5 00 0 0.25

1

A

57


The convex combination of �X✏ and ��X

✏ is indeed equal to MX⇤

B (ofdimension 3).

Decidability

To decide whether X is less than or equal to Y , using Lemma 4.3.3, it isnecessary and su�cient to check the inclusion of �X

✏ and �Y✏ , as well as, the

set inclusion of two sets, namely (CX� C

Y )�X✏ + P

X�X⌘ and P

Y�Y⌘ . The

former inclusion is straightforward, it consists in checking the inclusion ofn intervals, where n denotes the number of input noise symbols in use.

The latter involves the inclusion of two zonotopes since the Minkowskisum of two zonotopes is a zonotope. The generators of the resulting zono-tope are simply the union of the generators of its two operands.

4.3.9 TheoremThe partial order 1⇥2 is decidable, with a complexity bounded byO(2n+2m

C), where C denotes the complexity of solving a linear pro-gram of p variables and (n+ 2m) constraints (each LP can be solved inO(p3.5L) using interior point methods [Kar84], where L denotes the bitlength of the input data 2).

Proof. We would like to decide the inclusion of two zonotopes, namely(CX

�CY )�X

✏ +PX�X

⌘ , and PY�Y

⌘ . Let us denote by Z1 the former zono-tope, and by Z2 the latter one. The zonotopes Z1 and Z2 are spanned byn1 = n+m and n2 = m generators respectively. The problem of the inclu-sion Z1 ✓ Z2 can be stated using the support function as follows

Z1 ✓ Z2 () 8t 2 Rp, �(t | Z1) �(t | Z2) .

Let (A1, b1) (resp. (A2, b2)) be the a�ne map that transforms the unit ballB into Z1 (resp. Z2). We have then to decide, for all t, whether

hb1, ti+ �(A⇤1t | B) hb2, ti+ �(A⇤

2t | B),

or equivalentlyhb1 � b2, ti+ kA

⇤1tk1 � kA

⇤2tk1 0 .

Each line of A⇤1(resp. A

⇤2), which is a generator of Z1 (resp. Z2), defines

a hyperplane that contains the origin. We then have a partition of thespace Rp with n1 + n2 = n + 2m hyperplanes containing the origin. (The

58


generators of the two zonotopes Z1 and Z2 are exactly the normal vectorsto these hyperplanes.) The worst number of cells in such arrangement is2n1+n2. Each cell is a polyhedron Pi, 1 i 2n1+n2, where the functionhb1� b2, ti+ kA⇤

1tk1�kA

⇤2tk1 is perfectly linear. We solve the following LP

:

max hb1 � b2, ti+ kA⇤1tk1 � kA

⇤2tk1

s.t. t 2 Pi

If for each LP the objective value is less than or equal to zero, then the inclu-sion holds. Else, the procedure terminates immediately returning “false”.

The best-case complexity is the one of solving exactly one LP. The worst-case complexity is the one given in Theorem 4.3.9, this bound is reachedwhenever the inclusion holds.

In static analysis by abstract interpretation, whenever we have a loop,for each iteration in the abstract domain, we have to compare two abstractobjects. Hopefully, the worst case complexity holds only once, that is whena fixpoint is reached (which ends the analysis of the loop.).

59

CHAPTER 5Assignment and Interpretation

of Tests

We define the arithmetic over constrained a�ne forms and explain how weretrieve the available information encoded by the noise symbols abstractobject in order to improve the evaluation of the expressions, both linearand non-linear. On the other hand we formalize the interpretation of tests,a key feature of our abstract domain : tests are projected on the noisesymbols world as constraints, then interpreted using the abstract transferfunctions of the noise symbols domain.

Contents Section 5.1 focuses on abstract assignment over constraineda�ne sets. Section 5.2 handles the abstraction of the tests statements:equality tests, section 5.2, and inequality tests, section 5.2.

5.1 Abstract Assignment

We extend the set of variables V with the special variable v0 = 1 to encodeconstants. The abstract set of environment ⌃] : }(V) ! A1⇥2 maps asubset of variables to X 2 A1⇥2. For the sake of simplicity, we alwaysabstract the set of all variables. Thus, any �

]2 ⌃] maps V to an object

of A1⇥2. So, one can simply consider A1⇥2 instead of its lifted abstractdomain ⌃] : V ! A1⇥2.

We denote by LMi the ith line of matrix M . The semantics of the

61

5. Assignment and Interpretation of Tests

assignment function is defined by:

Jvk eK](C, P,�) def= (C 0

, P0,�0),

where 8i 6= k, LC0

i = LCi , L

P 0

i = LPi ,

8i, 0 i n,C0k,i = ↵

ei , 8j, 1 j m,P

0k,j = �

ej ,

(nX

i=0

↵ei ✏i +

mX

j=1

�ej⌘j,�

0)def= JeK](C, P,�).

Only the kth line of matrices C and P is updated after the assignmentof the expression e to the variable vk. The new coe�cients of the kth line,that is ↵e

i , 0 i n, and �ej , 1 j m, come from the evaluation of the

expression e with respect to the abstract object (C, P,�). The semanticsof the evaluation of an expression e 2 expr is given by:

8e 2 expr,JeK] : A1⇥2 ! A1 ⇥A2

JvkK](C, P,�) def= (

nX

i=0

Ck,i✏i +mX

j=1

Pk,j⌘j,�)

J[a, b]K](C, P,�) def=

8>><

>>:

(a+b2

+ b�a2✏f , J�1 ✏f 1K]

2Jadd ✏fK]2�),

if �1 < a b < +1,

(✏f , J✏f bK]2Jadd ✏fK]2�), if �1 = a

(✏f , Ja ✏fK]2Jadd ✏fK]2�), if +1 = b

Je1 ⇧ e2K](C, P,�) def= Je1K](C, P,�) ⇧ Je2K](C, P,�)

where ⇧ 2 {+1⇥2,�1⇥2,⇥1⇥2,÷1⇥2}

JpeK](C, P,�) def

=p

1⇥2JeK](C, P,�)

Notice that the evaluation of an expression is by definition with respect tothe same abstract object (C, P,�). Therefore, all noise symbols (input andperturbation) are shared between the involved operands.

The abstract operator Jadd ✏fK]2 : A2 ! A2 formalizes the add of a freshnoise symbol ✏f to the abstract object �. Here we add a new input noisesymbol ✏f , however, the operator could be used to add a fresh perturbationnoise symbol ⌘f as well. (From a point of view of A2, all noise symbols arevariables and there is no more di↵erence between them.)

Let x =Pn

i=0↵xi ✏i +

Pmj=1

�xj ⌘j, and y =

Pni=0

↵yi ✏i +

Pmj=1

�yj ⌘j be two

elements ofA1, and � an element ofA2. The linear operations {+1⇥2,�1⇥2}

are defined by their related operations in a�ne arithmetic. The abstract

62

5.1. Abstract Assignment

element � is unused and remains unchanged:

(x,�) +1⇥2 (y,�)def= (

nX

i=0

(↵xi + ↵

yi )✏i +

mX

j=1

(�xj + �

yj )⌘j,�),

(x,�)�1⇥2 (y,�)def= (

nX

i=0

(↵xi � ↵

yi )✏i +

mX

j=1

(�xj � �

yj )⌘j,�) .

The scalar multiplication operation is defined by

�.1⇥2(x,�)def= (

nX

i=0

(�↵xi )✏i +

mX

j=1

(��xj )⌘j,�) .

5.1.1 PropositionThe assignment of linear expression is monotonic.

Proof. Given two constrained a�ne sets X and Y such that X 1⇥2 Y .We prove that Jvk vi + vjK]X 1⇥2 Jvk vi + vjK]Y . Let A = Jvk vi + vjK]X and B = Jvk vi + vjK]Y . The abstract objects �X and �Y

are unchanged, thus �A = �X and �B = �Y , and the condition �A✏ ✓ �

B✏

holds. Let ! 2 �X✏ and let ⌘

X! 2 �

X⌘ (!). Since X 1⇥2 Y , there exists

⌘Y! 2 �

Y⌘ (!) such that

CX! + P

X⌘X! = C

Y! + P

Y⌘Y! ,

thus

hLCX

i ,!i+ hLPX

i , ⌘X! i = hL

CY

i ,!i+ hLPY

i , ⌘Y! i,

hLCX

j ,!i+ hLPX

j , ⌘X! i = hL

CY

j ,!i+ hLPY

j , ⌘Y! i .

We prove that CA!+P

A⌘X! = C

B!+P

B⌘Y! . Matrix CA (resp. PA) is equal

to matrix CX (resp. PX) except for the kth line. Likewise the matrices CB

and PB are equal everywhere to C

Y and PY respectively except for the kth

line. For the kth line we have

LCA

k = LCX

i + LCX

j , LPA

k = LPX

i + LPX

j ,

LCB

k = LCY

i + LCY

j , LPA

k = LPY

i + LPY

j .

63


Therefore,

hLCA

k ,!i+ hLPA

k , ⌘X! i = hL

CB

k ,!i+ hLPB

k , ⌘Y! i .

The operations �1⇥2 and .1⇥2 can be proved monotonic in a similar manner.Any linear expression can be seen as a composition of these basic operationsand the composition of monotonic operations is monotonic.

Non linear binary operations {⇥1⇥2,÷1⇥2} and the unary operation{p

1⇥2} benefit from both abstract domains A1 and A2 for a better pre-

cision.

Multiplication

The multiplication operation benefits from the interval concretisation ofevery noise symbol. We detail the idea through a small example, then givethe formal definition.

Let xdef= ✏1 and y = ✏2, and � = 1 ⇥ [0.5, 1]2. Since ✏1 and ✏2 are

independent variables, the exact range of the expression ✏1 ⇥ ✏2 is given byinterval arithmetic, that is [0.5, 1]⇥[0.5, 1] = [0.25, 1]. The expression ✏1⇥✏2

is non-linear. The naive solution which transforms the interval [0.25, 1]into the a�ne form mid([0.25, 1]) + dev([0.25, 1])⌘f , ⌘f 2 [�1, 1] definitelyloses all relations with ✏1 and ✏2 while giving a perturbation deviation of1�0.25

2= 0.375. A better solution “extracts” first the linear component of

✏1 ⇥ ✏2:

✏1 ⇥ ✏2 = (✏1 � 0.75 + 0.75)⇥ (✏2 � 0.75 + 0.75)

= 0.752 + 0.75(✏1 � 0.75) + 0.75(✏2 � 0.75) + (✏1 � 0.75)(✏2 � 0.75)

2 �0.752 + 0.75✏1 + 0.75✏2 + [�0.25, 0.25]⇥ [�0.25, 0.25]

2 �0.5625 + 0.75✏1 + 0.75✏2 + [�0.0625, 0.0625]

The non-linear term considered now, (✏1�0.75)⇥ (✏2�0.75) has a concreti-sation equal to [�0.0625, 0.0625], which is 6 times less than [�0.375, 0.375],obtained by the naive solution.

64


The multiplication operation is defined by:

(x,�)⇥ (y,�)def= (

n+1X

i=0

↵i✏i +mX

j=1

�j⌘j + �f⌘f , J�1 ⌘f 1K]2� Jadd ⌘fK]2�)

where

↵0 = �mid([x])mid([y]) + mid(�)

↵i = mid([x])↵yi +mid([y])↵x

i , 1 i n

�j = mid([x])�yi +mid([y])�x

i , 1 j m

�f = dev(�)

� = bound2(nX

i=1

↵xi (✏i �mid(✏i))

nX

i=1

↵yi (✏i �mid(✏i))

+nX

i=1

↵xi (✏i �mid(✏i))

mX

j=1

�yi (⌘j �mid(⌘j))

+mX

j=1

�xi (⌘j �mid(⌘j))

nX

i=1

↵yi (✏i �mid(✏i))

+mX

j=1

�xi (⌘j �mid(⌘j))

mX

j=1

�yi (⌘j �mid(⌘j)),�)

[x] = bound2(x,�),

[y] = bound2(y,�) .

Recall that primitive bound2 : A1⇥A2 ! I bounds the expression given inits first argument with respect to the abstract object � given in its secondargument. Computing � is not immediate. If A2 is a polyhedra-like ab-stract domain, then the computation needs to over-approximate a quadraticterm over a polyhedron. We give hereafter two methods specifically tunedfor the quadratic expressions.

Method 1 is based on interval arithmetic together with symbolic en-hancement computations. The method distributes the multiplication, sim-plifies equal terms, then over-approximates each remaining term with aninterval, and finally sums up these intervals. Simplification holds if ↵x

i ↵yj =

�↵xj↵

yi for some pair (i, j). The over-approximation step is smart enough

to detect squares of intervals: (✏i � mid(✏i))(✏i � mid(✏i)) 2 [0, dev(✏i)2]instead of [� dev(✏i)2, dev(✏i)2] given by interval arithmetic. The final in-terval found is an over-approximation of the actual bounds reached by theexpression.

65


Method 2 is more sophisticated and takes into account the dependencybetween noise symbols. It operates globally on the expression and usesSemiDefinite Programming (SDP) to compute tight bounds for �. Theexpression can be seen simply as

Pn+mi=1

Pn+mj=1

⇣xi ⇣

yj �i�j when all �i are within

[�1, 1] where:

⇣xi = ↵

xi dev(✏i), ⇣

yi = ↵

yi dev(✏i) 1 i n,

⇣xi = �

xi dev(⌘i), ⇣

yi = �

yi dev(⌘i) n+ 1 i n+m,

�i = ✏i �mid(✏i), 1 i n,

�i = ⌘i �mid(⌘i), n+ 1 i n+m,

and similarly for ⇣yi and �

yi , 1 i n + m by substituting x by y. The

following proposition bounds sup(�) by a typical SDP program.

5.1.2 PropositionThe upper bound of � is bounded by:

max|�i|1

n+mX

i=1

n+mX

j=1

⇣xi ⇣

yj �i�j = max

|�i|1

�⇤. .� inf

µ2Rn+m+

{trace(µIn+m)| �µIn+m � 0}

(S)where ( i,j)1i,jn+m = 1

2(⇣xi ⇣

yj + ⇣

xj ⇣

yi ) and �µIn+m � 0 denotes the fact

that � µIn+m is negative SemiDefinite. The equality holds when matrix is negative SemiDefinite.

The infimum bound of � is computed similarly using the inequality

min|�i|1

n+mX

i=1

n+mX

j=1

⇣xi ⇣

yj �i�j �max

|�i|1

n+mX

i=1

n+mX

j=1

(�⇣xi )⇣yj �i�j .

The first method is cost e↵ective but gives coarse results for the non-linearterm as it does not consider all dependencies between noise symbols. Thesecond method gives tighter results but needs to solve two SDP programswith a polynomial complexity. Notice that the second method relies onthe box that contains �2(�), and not �2(�) itself. It’s hence an over-approximation of the actual bounds reached by the expression when thenoise symbols lie within �2(�) unless A2 is the intervals abstract domainand is negative semidefinite.

5.1.3 PropositionThe abstract assignment operator Jvk vi ⇥ vjK] is monotonic.

Proof. The proof of the unconstrained case may be found [GP09].

66


Division

The division operation ÷1⇥2 is defined in two steps: we first compute theinverse then operate a multiplication:

(x,�)÷1⇥2 (y,�)def= (1/·

1⇥2(y,�))⇥1⇥2 (x,�) .

The inverse operation 1/·1⇥2

is defined by:

1/·1⇥2

(x,�)def= (⇣ + �x+ ⌘f , J�1 ⌘f 1K]Jadd ⌘fK]2�),

where [a, b] = bound2(x,�) in

� =�4

(a+ b)2

= �2b

(a+ b)2+

1

2a

⇣ =4

a+ b+�

2b

(a+ b)2+

1

2a.

The definition above supposes that [a, b] does not contain zero and has finitebounds. The non-generic other cases are as follows:

1/·1⇥2

(x,�)def=

8>>>><

>>>>:

(>1⇥2,�), if 0 2 [a, b],( 1

2a +1

2a⌘f , J�1 ⌘f 1K]Jadd ⌘fK]2�),if b = +1

( 1

2b +�1

2b ⌘f , J�1 ⌘f 1K]Jadd ⌘fK]2�),if a = �1

Square Root

The square root is defined as follows:

p

1⇥2(x,�)

def= (⇣ + �x+ ⌘f , J�1 ⌘f 1K]

2Jadd ⌘fK]2�),

where [a, b] = [0,+1] \ bound2(x,�) in

⇣ =

pa+ b

4p2�

1

2p2pa+ b

+

pa

2

� =1p

2(a+ b)

=

pa+ b

4p2

+a

2p2pa+ b

�

pa

2.

Here, bound2 gives the bounds of the a�ne expression x with respect tothe abstract object �. Such a primitive is usually available in all numerical

67


abstract domains. If the underlying abstract domain does not implementsuch primitive, a relaxed version can be easily defined by taking the intervalconcretization of each variable in �, then use interval arithmetic. The realnumbers ⇣, � and are computed using a special Taylor series developmentof the square root function, as detailed in Section 3.3. The definition aboveassumes that [a, b] is not empty nor reduced to zero and its bounds arefinite. All other cases are as follows:

p

1⇥2(x,�)

def=

8<

:

(?1⇥2,�), if [a, b] = ;,(0,�), if a = b = 0,(⌘f , J

pa ⌘fK]Jadd ⌘fK]2�), if b = +1

A typical flow-sensitive analyzer would emit a caveat and store the locationif the interval [a, b] admits negative values.

Soundness

Linearization of non-linear unary operations adds a new noise symbol ⌘f .For unary operations f(x) 2 {

1

x ,px}, where x is abstracted by (x,�), we

compute respectively the linear approximants {p

1⇥2(x,�), 1/·

1⇥2(x,�)}.

The joint range of x and ⇧x, for ⇧ 2 {p

1⇥2, 1/·

1⇥2}, has to enclose the graph

of (x, f(x)), where the noise symbols range over �2(�). This condition isenforced by the soundness property that abstraction should respect: X [

� �↵(X). In our case, X is given by the graph of the function (x, f(x)), itsabstraction, ↵(X) = X, is the constrained a�ne set formed by the a�neforms x, ⇧x and the abstract element �:

{(x1, x2) | x2 = f(x1)} = X ✓ �1⇥2(X) .

If this condition is unsatisfied, then one might find a feasible configurationof noise symbols not represented by the linear approximant computed. Evenif the interval range of the linear approximant contains the interval rangeof the approximated function, one can always come up with an “unsafe”future computation that exploits this unsound configuration.

We give hereafter an example of linearization which is unsound, butgives locally correct result if we consider only the interval range of the a�neforms after the linearization. The example is picked up from the literatureof reliable computing, it is given in [Kol07] to illustrate the so-called Kolevformula of multiplication over a�ne forms which yields no overestimation(under certain simple monotonicity conditions satisfied by the example).

5.1.4 ExampleConsider x = 10 + 5✏1 + 3✏2 and y = 10 � 2✏1 + ✏3. All noise symbols arewithin [�1, 1]. The range of x is [2, 18], and the range of y is [7, 13]. Kolev

68


x

z

(✏1 = 0, ✏2 = 1, ✏3 = 1)

2 18

22

162

Figure 5.1: unsound multiplication: the concretisation of the abstractiondoes not over-approximate the concrete graph.

multiplication gives z = 92 + 31✏1 + 21✏2 + 2✏3 + 16✏4. The concretisationof z is [22, 162] which is the exact range of xy. Consider now the (future)computation t = �4x + 0.8z � 79. Using the above z, we find t = �45.4 +4.8✏1 + 4.8✏2 + 1.6✏3 + 12.8✏4 and conclude that t 2 [�69.4,�21.4]. Thisis wrong: for ✏1 = 0 and ✏2 = 1 and ✏3 = 1, we have x = 13 and y = 11and z = 143, then t = �16.6 which is outside the concretisation of t foundusing this a�ne form for z.

Figure 5.1 depicts the projection onto the (x, z) space of a cloud of vectorsof the actual 3-dim graph (x, y, z = xy) taken sparsely for ✏1, ✏2, ✏3 2 [�1 :0.2 : 1], and the joint range (the gray zonotope) of the a�ne forms x

and z. Observe that some points are outside the zonotope even if theirprojection onto the z axes is within [22, 162]. For instance, the red point(x, z) = (13, 143) obtained for (✏1, ✏2, ✏3) = (0, 1, 1) is outside the zonotopeand leads to the wrong over-approximation of t detailed above.

69


5.2 Interpretation of Tests

The scope of this section covers the novel idea behind interpretation of tests,informally discussed in the introduction (Section 4.1).

We study first (Section 5.2) the interpretation of the equality test Je =0K] for an expression e 2 expr. Then we formalize Je 0K] as well as theinterpretation of conjunction and disjunction of constraints (Section 5.2).

Equality Test

We start with a motivating example to help understanding the formal def-inition of the interpretation of an equality test over CAS.

5.2.1 ExampleLet X = (CX

, PX,�X) be a CAS abstracting three variables {v1, v2, v3},

where A2 is the intervals lattice. Each variable vi is abstracted by the a�neform given by the ith line of matrices C

X and PX .

�X := {1}⇥ [�1, 1]⇥ [�1, 1]⇥ [�1, 1]

X1 := 4 + ✏1 + ✏2 + ⌘1, bound2(X1,�X) = [1, 7]

X2 := �✏1 + 3✏2, bound2(X2,�X) = [�4, 4]

X3 := �✏1 + 2✏2 + ⌘1, bound2(X3,�X) = [�4, 4]

The evaluation of expression v1 � v2 in our abstract domain gives

Jv1 � v2K](CX, P

X,�X) = (4 + 2✏1 � 2✏2 + ⌘1,�),

Constraint v1 � v2 = 0, interpreted with a�ne forms, gives then

4 + 2✏1 � 2✏2 + ⌘1 = 0 . (5.2.1)

This constraint, established using the noise symbols, is first used toenhance the interval concretisation of the noise symbols (in this example,

domain A2 is the intervals lattice). This gives �Y def= {1} ⇥ [�1,�0.5] ⇥

[0.5, 1]⇥ [�1, 0]. Moreover, for each variable vi we inject equation (5.2.1) toseek the best trade-o↵ one can have by substituting one of its noise symbols;”best” in the sense of minimizing the interval concretisation of the variablevi. For instance for X1 = 4 + ✏1 + ✏2 + ⌘1, we have 3 choices

Y1 = 2 + 2✏2 + 0.5⌘1, bound2(Y1,�Y ) = [2.5, 4] (by substituting ✏1)

Y1 = 6 + 2✏1 + 1.5⌘1, bound2(Y1,�Y ) = [2.5, 5] (by substituting ✏2)

Y1 = �✏1 + 3✏2, bound2(Y1,�Y ) = [2, 4] (by substituting ⌘1)

70

5.2. Interpretation of Tests

The best substitution, which minimizes the range of the variable is theone which substitutes ✏1 by its corresponding expression given by the equa-tion (5.2.1).

Since variable v2 is involved in constraint v1 = v2, its best a�ne form isthe same one found for v1. So there is no more computation needed here.

For the last variable v3, we also choose the best possible substitution aswe did with v1, we have

Y3 = 2 + ✏2 + 1.5⌘1, bound2(Y3,�Y ) = [1, 3] (by substituting ✏1)

Y3 = 4 + ✏1 + 2⌘1, bound2(Y3,�Y ) = [1, 3.5] (by substituting ✏2)

Y3 = �4� 3✏1 + 4✏2, bound2(Y3,�Y ) = [�0.5, 3] (by substituting ⌘1)

and it turns out that substituting ✏1 gives also the best a�ne form. Theinterval concretisation of this best form is tighter than [0.5, 3], the oneobtained with the original a�ne form of v3, �✏1 + 2✏2 + ⌘1 with the newintervals of noise symbols �Y . Of course, the choice of which noise symbolsubstitute depends on the original a�ne form of the variable as well as theconstraint. For instance, if X3 was equal to �✏1+0.5✏2+⌘1, with respect tothe same constraint given in (5.2.1), then ✏2 would be the best substitution.

Finally, the CAS Y obtained after the interpretation of the equality testis

�Y := {1}⇥ [�1,�0.5]⇥ [0.5, 1]⇥ [�1, 0]

Y1 := 2 + 2✏2 + 0.5⌘1, bound2(Y1,�Y ) = [2.5, 4]

Y2 := 2 + 2✏2 + 0.5⌘1, bound2(Y2,�Y ) = [2.5, 4]

Y3 := 2 + ✏2 + 1.5⌘1, bound2(Y3,�Y ) = [1, 3]

The so obtained interval concretizations are better than the ones ob-tained by the reduced product of a�ne sets and intervals, which gives,after the test, [1, 7] \ [�4, 4] = [1, 4] for Y1 and Y2, and [�4, 4] for Y3. Thesubstitution is injects in fact the exact constraint into the a�ne forms. Ob-serve also that in the CAS Y , the equality is algebraically satisfied as thea�ne forms Y1 and Y2 are equal.

The complexity of the straightforward method to compute the best sub-stitution used in the example below (testing each noise symbol then com-paring the concretisations) is O((n + m)2) for each numerical variable vi,for n +m noise symbols. We can reduce such complexity by transformingthe problem to the following optimization problem:

min�2R

f(�), f(�)def=

n+mX

i=1

|ai � bi�| (*)

71


where ai, bi are known real numbers for all i, 1 i n + m. We cansuppose without loss of generality, that bi > 0. Indeed if bk is null for somek, then the term |ak| is not involved in the minimization problem as it isindependent from �. If bk < 0, then we just multiply by �1.

5.2.2 PropositionThe best average complexity of solving the problem (*) is O(n log(n)).

Proof. The function f in (*) is convex: it is defined as a finite sum ofconvex functions, |ai � bi�|. Let us denote by R = {r1, . . . , rn+m}, the

sorted set of roots of the functions ai� bi�, ridef= ai

bi, in the increasing order

(i.e. ri ri+1) : Note that, the function f is a piecewise linear functionwith n+m�1 line segments, each defined over [ri, ri+1], 1 i < n+m, andtwo half-lines (rays) for � r1 and rn+m �. By convexity of f , when �

varies over the real number line, the slopes of each line segment are orderedand vary from �

Pn+mi=1

bi (the slope of the ray � r1) toPn+m

i=1bi (the slope

of the ray rn+m �). By hypothesis, bi > 0, then there exists necessarilyat least one point rp, such that the slope of the line segment [rp�1, rp] isnon-positive (negative or null) and the slope of the line segment [rp, rp+1] ispositive. Then, a minimum of f is reached at rp since f is decreasing beforerp and increasing after rp. Such a local minimum is global by the convexityof f . Moreover, if the sign of the slopes in [rp�1, rp] is null, then the globalminimum is reached for all � 2 [rp�1, rp].

The best average complexity of sorting a list of n+m elements is O((n+m)log(n+m)), using a divide and conquer strategy (Quicksort algorithm byHoare, Merge algorithm by Von Neuman, etc.). We have then, in the worstcase, to run through n +m elements seeking the change of the sign of theslopes of the line segments.

Our original problem of seeking the best substitution, can be easilytranslated to the form of (*). We exemplify this translation for variableX1, then formalize the general case.

X1 = X1 + �⇥ 0

= 4 + ✏1 + ✏2 + ⌘1 + �(4 + 2✏1 � 2✏2 + ⌘1)

= 4 + 4�+ (1 + 2�)✏1 + (1� 2�)✏2 + (1 + �)⌘1

In the second equality, the zero was replaced by the constraint (5.2.1) de-duced from the test. The deviation of the interval concretisation �(X1) isthen:

0.25|(1 + 2�)|+ 0.25|1� 2�|+ 0.5|1 + �| .

72


Minimizing this deviation ensures the minimal interval concretisation forthe variable v1.

Now, for any a�ne form a = ↵0+Pn

i=1↵i✏i+

Pmi=j �j⌘j and a constraint

c = c0 +Pn

i=1ci✏i +

Pmj=1

pj⌘j = 0, the optimization problem to solve is

min�2R

nX

i=1

dev(✏i)|↵i + �ci|+mX

j=1

dev(⌘j)|�j + �pj|, (**)

where ✏i and ⌘j denote respectively the interval concretisations of the inputnoise symbols ✏i, 1 i n, and the perturbation noise symbols ⌘j, 1 j m, that is

✏idef= bound2(✏i,�

Y ),

⌘jdef= bound2(⌘j,�

Y ) .

The new a�ne form is derived from the objective solution of (**), �, andthe current a�ne form.

The abstract operator Jvk = 0K] is formalized as follows:

5.2.3 DefinitionLet X be a CAS abstracting p numerical variables. Then Y = Jvk = 0K]Xis defined by

�Y def= JXk = 0K]

2�X

Yidef= Xi + �i(Xk), 1 i p, i 6= k

Ykdef= 0

where �i is the optimal solution of the problem (**) solved for

a = Xi, c = Xk

✏i = bound2(✏i,�Y ), ⌘j = bound2(⌘j,�

Y ).

The matrices CY and PY are computed (together) line by line: the central

part of the a�ne form Yi gives the coe�cient of the ith line of CY andits perturbation part completes the ith line of matrix P

Y . The operatorJe = 0K]

2denotes the abstract conditional operator of the noise symbol

abstract domain A2. We recall that the primitive bound2 : A1 ⇥ A2 ! Ireturns the range of an a�ne form with respect to an abstract object in A2.

73


5.2.4 PropositionThe average complexity of the abstract function Jvk = 0K] is O((p� 1)(n+m)log(n+m)) for p numerical variable, n input noise symbols and m per-turbation noise symbols.

Proof. We solve p� 1 times the problem (**) which has an average com-plexity of O((n+m)log(n+m)) by Proposition 5.2.2. We subtract 1 fromp since the a�ne form of vk is set to 0.

Interpretation of expressions equality If the test involves an expres-sion rather than a variable, then the definition of the operator Je = 0K] hasthe same definition of Jvk = 0K] up to the evaluation of the expression e.

5.2.5 DefinitionThe abstraction of the test e = 0 is defined by:

Je = 0K]X def= Jv0 = 0K]X,

where v0 is a temporary numerical variable abstracted by JeK]X.

5.2.6 ExampleConsider Y = Jx1 + x2 � x3 = 0K]X where

�X := {1}⇥ [�1, 1]⇥ [�1, 1]⇥ [�1, 1]

X1 := 2 + ✏1, bound2(X1,�X) = [1, 3]

X2 := 2 + ✏2 + ⌘1, bound2(X2,�X) = [0, 4]

X3 := �✏1 + 3✏2, bound2(X3,�X) = [�4, 4]

The evaluation of the expression x1 + x2 � x3 gives the same constraint ofthe example 5.2.1, that is

4 + 2✏1 � 2✏2 + ⌘1 = 0,

thus, �Y = 1 ⇥ [�1,�0.5] ⇥ [0.5, 1] ⇥ [�1, 0]. The computation of the bestsubstitutions replaces ✏1 by �2 + ✏2 � 0.5⌘1 in all a�ne forms:

Y1 := ✏2 � 0.5⌘1, bound2(Y1,�Y ) = [0.5, 1.5]

Y2 := 2 + ✏2 + ⌘1, bound2(Y2) = [1.5, 3]

Y3 := 2 + 2✏2 + 0.5⌘1, bound2(Y3) = [2.5, 4] .

Observe that, after the test, Y1 + Y2 = Y3.

74


✏1

✏2

x

y

Figure 5.2: The constraints over variables are interpreted as constraintsover the noise symbols

Inequality Tests

The inequality test supported by our language is e 0. The test is propa-gated to the noise symbols abstract domain.

5.2.7 DefinitionLet X be a CAS abstracting p numerical variables. Then Y = Jxk 0K]Xis defined by

�Y def= Je 0K]

2�X

CY def

= CX

PY def

= PX

.

Only the abstract domain of the noise symbols is updated in the in-equality test. The a�ne set (CX

, PX) remains unchanged. For instance,

consider the a�ne set

x = ✏1 � ✏2

y = 2✏1 .

In figure 5.2, we depict the final object which we propagate after the testx � 0. On one hand, the initial a�ne set given above is untouched, andso is its geometrical concretisation, that is the gray zonotope (right handside). On the other hand, the values of noise symbols are constrained tothe gray area (left hand side), instead of being independent within [�1, 1]each.

The conjunction and disjunction of constraints are interpreted similarly,that is as constraints over the noise symbols. If the underlying domain ofnoise symbols does not handle disjunctions, the convex hull is consideredinstead, as it is done in classical convex abstract domain.

75


5.3 Related Work

On the Use of Zonotopes

The e�cient encoding of a�ne forms (as lists of generators) and the ac-curacy of computations (for both linear and non-linear operations) havemotivated other applications of these special polytopes or zonotopes. Forinstance, Girard in [Gir05] and Combastel [Com05] have used zonotopesfor the computation of reachable sets of uncertain linear systems. Com-bastel [Com05] has also proposed rigorous bounds for uncertain non-linearcontinuous-time systems using zonotopes.

Years before, Kuhn [Kuh98] has used zonotopes for the purpose of nu-merical quality control: he used zonotopes to enclose the orbits of discretedynamical systems; the higher order zonotopes permit to reduce the wrap-ping e↵ect and hence lead to more accurate results. Zonotopes were alsoused as bounding volumes for collision detection [GNZ03].

Zonotope/Hyperplane Intersection

The use of zonotopes in reachability analysis of hybrid systems needs to firstdetect the collision of a zonotope with guards that govern the discrete tran-sitions of the system, and second to be able to wrap the intersection withthe active guard by a zonotope. Indeed, the intersection of a hyperplane(for linear guards) and zonotope is in general not a zonotope.

As seen in the previous section, the interpretation of tests while usingzonotopes (or equivalently a�ne sets) as abstract objects rose a similarproblem as one needs to compute a zonotopic approximation of the inter-section which is in general a polytope.

The geometrical approaches proposed in [GLG08, LG09] and [ASB08] donot embed the noise symbols with a particular semantics. The zonotopes areencoded with unordered list of generators. In our case, the noise symbolsare related to the inputs of the program, these symbols have a precisemeaning and can not be substituted. Indeed, the order we define over ourabstract objects is strictly stronger than the geometrical order. Therefore,a zonotope that over-approximates geometrically the intersection may notbe sound in our context.

76

CHAPTER 6Join over Constrained A�ne

Sets

This chapter is dedicated to the computation of the union of two constraineda�ne sets, as an optimal (in a sense to define) upper bound of two givenconstrained a�ne sets, with respect to the partial order 1⇥2.

Contents Firstly, we define, in section 6.1 the general procedure we useto build a sound upper bound of two given CAS. The procedure is genericand not related to the noise symbols abstract domain A2. Section 6.2characterizes the set of minimal upper bounds of two constrained a�neforms (and not sets); Section 6.2 presents an algorithm to pick up oneof these minimal upper bounds earlier characterized. This algorithm isextended in Section 16 to handle reduced intervals case, that is when thenoise symbols are constants, or equivalently, within intervals of the form[c, c], where c is a real number. Sections 16 and 16 are special cases of ouralgorithm: firstly, we consider the case of perturbed a�ne forms; secondly,we apply the e�cient join operator defined for perturbed a�ne forms tothe constrained a�ne forms using our characterization of minimal upperbounds, and hence our algorithm, to compute the minimal perturbation.Finally, the last part (Section 6.3) defines, piecewisely, an upper boundover constrained a�ne sets.

77

6. Join over Constrained Affine Sets

6.1 General Procedure

As we are seeking a good precision-time cost trade-o↵, our general procedurestarts by relaxing the given abstract objects by forgetting all noise symbolsrelations, then computes an upper bound of the relaxed constrained a�nesets. Here, relaxing means taking the smallest box containing the concreti-sation of � instead of � itself. Our approach is sound, since relaxing a CAS(C, P,�) gives an over-approximation of (C, P,�).

6.1.1 PropositionLet X = (C, P,�) be a CAS, then

(C, P,�) = X 1⇥2 ⇤Xdef= (C, P,⇤�)

where ⇤� denotes the interval concretisation of �, that is, ⇧ni=0

✏i⇥⇧mj=1

⌘j,where ✏i = bound2(✏i,�) and ⌘j = bound2(⌘j,�).

Proof. Obviously the condition �✏ ✓ ⇤�✏ holds as �✏ denotes the con-cretisation of the projection of � over the subspace defined by the inputnoise symbols, and ⇤�✏ is the smallest box containing this concretisationby construction. Similarly, we have �⌘ ✓ ⇤�⌘. Moreover, for all ! 2 �✏,

(C � C)! + P�⌘(!) = P�⌘(!) ✓ P⇤�⌘(!),

which ends the proof.

The general procedure used to compute the join of two CAS X andY starts by computing an upper bound of ⇤X and ⇤Y , which is also anupper bound of X and Y thanks to Proposition 6.1.1. Therefore, computingthe join of two CAS is A2-independent, since the problem is always broughtback to the computation of an upper bound of CAS where the noise symbolsrange over intervals.

In the remaining sections, A2 is the intervals lattice. We characterizeand compute upper bounds of two CAS with respect to the partial order1⇥2. Our computation is defined componentwisely over the variables’ set.The result is constructed, line by line, by computing the minimal upperbound (mub) of two Constrained A�ne Forms (CAF), which are exactlythe CAF. The computation of such mub extends and generalizes the oneof [GP08] which computes the mub of two perturbed (but unconstrained)a�ne forms.

78

6.2. Join over Constrained A�ne Forms

It is important to notice that such approach does not consider the CASglobally while computing the join, it rather focuses on a fixed set of di-rections, namely those of the canonical base of Rp. This means that theperturbation for each variable, taken alone, is optimized. However, theperturbation along any other random direction is not minimal in general.

This chapter is organized as follows. Section 6.2 details the way wecompute the minimal upper bound of two constrained a�ne forms. InSection 6.3 we define our join operators.

6.2 Join over Constrained A�ne Forms

In this section, the number of variables p is equal to one. Thus, matricesC

X and PX for a CAS X are simply two lines; X is simply a constrained

a�ne form, or CAF.A least upper bound (lub) does not exist in general, this fact was estab-

lished for perturbed a�ne forms in [GP08], which are a special CAF (thenoise symbols are unconstrained). Instead, two given CAF may have in-finitely many minimal upper bounds (mub). We first remind the definitionof a mub. Then, we focus on a particular subset of mubs (the ones whichminimize the perturbation) that we can characterize as the set of saddle-points of a function L(↵,�) defined over Rn+1

⇥ [0, 1]. Finally, we solve thesaddle-point problem using standard tools from the subdi↵erential theoryof convex functions.

As we have seen in Section 4.3, when using intervals to abstract noisesymbols, the partial order1⇥2 is not sensitive to the domain of each pertur-bation symbol ⌘i, only the (symmetric) perturbation set considered globallyis of interest. We use the symmetric representative (see Definition 4.3.4)of CAF. Therefore, only the box �X

✏ should be considered. One can thenrepresent, without loss of generality, a CAF X by (↵X

, ⌧X,�X

✏ ), where↵X2 Rn+1, ⌧X is a non-negative real number, deviation of the perturba-

tion interval, and �X✏ , which is an hypercube of dimension n, domain of the

input noise symbols.

6.2.1 DefinitionLet X = (↵X

, ⌧X,�X

✏ ) and Y = (↵Y, ⌧

Y,�Y

✏ ) be two CAF. We say that

Z = (↵Z, ⌧

Z,�Z

✏ ) is a minimal upper bound (mub) of X and Y if and onlyif

• Z is an upper bound of X and Y , that is X 1⇥2 Z and Y 1⇥2 Z,and

• for all W upper bound of X and Y , W 1⇥2 Z implies W = Z.

79


The proposition below establishes that if the deviation of the perturba-tion set of any upper bound is minimal, then this upper bound is a mub.

6.2.2 PropositionIf Z = (↵, ⌧ ,�X

✏ [2�Y✏ ) is an upper bound of two given CAF, X and Y , such

that ⌧ (the deviation of its perturbation set) is minimal over all deviations⌧ of any upper bound of X and Y , then Z is a mub of X and Y .

Proof. Suppose that T = (↵, ⌧,�✏) is an upper bound of X and Y suchthat T 1⇥2 Z, then by definition of the order, (ı) �✏ ✓ �X

✏ [�Y✏ , and (ıı):

�(M(↵� ↵) | B) ⌧ � ⌧ .

where M is the matrix related to �✏. Since T is an upper bound of X andY , we have �X

✏ ✓ �✏, and �Y✏ ✓ �✏, thus �X

✏ [ �Y✏ ✓ �✏. By (ı) we obtain

�✏ = �X[�Y . By hypothesis, ⌧ is minimal, therefore, ⌧�⌧ 0. However,

by definition of the support function and (ıı), we have �(M(↵ � ↵) | B) =kM(↵ � ↵)k1 � 0. Therefore, kM(↵ � ↵)k1 = 0, and ↵ = ↵. Finally0 ⌧ � ⌧ , and ⌧ = ⌧ .

Notice that the mubs that minimize the perturbation are not the onlypossible mubs. Indeed, Proposition 6.2.2 is only su�cient but not necessary.Example 6.2.3 gives a counter example of a minimal upper bound whichdoes not have the minimal perturbation.

6.2.3 ExampleLet X = ((1,�1, 2), 0, 1 ⇥ [�1, 0] ⇥ [0, 0.5]), and Y = ((2, 1, 1), 0, 1 ⇥

[�0.5, 0.5] ⇥ [0, 1]), then T = ((1.75, 0, 0.75), 0.75, 1 ⇥ [�1, 0.5] ⇥ [0, 1]) isa mub that minimizes the interval concretisation, indeed [T ] = [1, 3.5] =[1, 3] [ [1.5, 3.5] = [X] [ [Y ]. However, in Section 6.2, we have seenthat Z = X t Y = ((1.7, 0.2, 1.6), 0.7, 1 ⇥ [�1, 0.5] ⇥ [0, 1]). Observe that[Z] = [0.8, 4.1] ◆ [1, 3.5] = [T ]. Of course, T and Z are not comparable.

What Example 6.2.3 suggests is that enforcing the minimality of theconcretization, then seeking the minimal perturbation among these upperbound with minimal concretization, may lead to a di↵erent subset of mubs.

We focus in the sequel on the computation of the subset of mubs (↵, ⌧ ,�)such that the perturbation ⌧ is minimal.

80


By Proposition 4.3.7, for T = (↵, ⌧,�✏) to be an upper bound of X andY , it is necessary and su�cient that �X

✏ [2 �Y✏ 2 �✏ and that ↵ and ⌧

satisfy:

�(MX(↵X� ↵) | B) + ⌧

X ⌧,

�(MY (↵Y� ↵) | B) + ⌧

Y ⌧,

or said di↵erently:

max{�(MX(↵X� ↵) | B) + ⌧

X, �(MY (↵Y

� ↵) | B) + ⌧Y} ⌧ .

We look for the set of ↵ 2 Rn+1 that minimizes the maximum above. Ifsuch set is not empty, by Proposition 6.2.2, it should contain all mubs ofX and Y . Formally, we define ↵ and ⌧ as being respectively the objectivevector and the objective value of the following minimax problem

⌧ = min↵2Rn+1

max{�(MX(↵X� ↵) | B) + ⌧

X, �(MY (↵Y

� ↵) | B) + ⌧Y} .

We can rewrite the maximum of two real numbers as a maximum of a linearreal-valued function, using the lemma below:

6.2.4 LemmaLet a and b be two real numbers. Then

max{a, b} = max�2[0,1]

�a+ (1� �)b .

Proof. If a b, then max{a, b} = b. On the other hand f(�)def= �a+(1�

�)b = �(a� b) + b is an a�ne function with a negative slope (a� b), thusit reaches its maximum for � = 0, that is, max�2[0,1] �a+(1��)b = b. Thecase b a is similar (just interchange a and b).

6.2.5 Definition (Minimal perturbation of two CAF)The minimal perturbation ⌧ is the objective value of the following problem

⌧ = inf↵2Rn+1

sup�2[0,1]

L(↵,�) .

where L : Rn+1⇥ [0, 1]! R maps (↵,�) to

�(�(MX(↵X�↵) | B)+ ⌧

X)+ (1��)(�(MY (↵Y�↵) | B)+ ⌧

Y ) . (6.2.1)

81


Matrix MX is a square matrix of dimension (n+ 1)2, its determinant is

equal to⇧n

i=1dev(✏Xj ) .

If all the intervals ✏Xj are non-reduced to a point, the matrix is non-singular.For the sake of readability, the special case where these matrices are sin-gular, that is where some noise symbols’ intervals are reduced to points, isleft to a separate section (see Section 16). From now on we suppose thatmatrices MX and M

Y are non-singular.The rest of this section details our approach to solve e�ciently the min-

imax problem of Definition 6.2.5. We characterize the set of solutions (Sec-tion 6.2), then solve the system of equations found (Section 6.2). Throughthese di↵erent sections, each step is exemplified using the same followingexample:

6.2.6 ExampleWe would like to compute (↵, ⌧) such that Z = (↵, ⌧ , 1 ⇥ [�1, 0.5] ⇥ [0, 1])

is a mub of X and Y , defined by

X = ((1,�1, 2), 0, 1⇥ [�1, 0]⇥ [0, 0.5])

Y = ((2, 1, 1), 0, 1⇥ [�0.5, 0.5]⇥ [0, 1]) .

The matrices MX and MY , related to �X

✏ and �Y✏ respectively are

MX def

=

0

@1 �0.5 0.250 0.5 00 0 0.25

1

A , MY def

=

0

@1 0 0.50 0.5 00 0 0.5

1

A .

Characterization of the Set of Mubs with MinimalPerturbation

The set of points (↵, �), solution of the minimax problem of Definition 6.2.5are known as the saddle-points of the function L defined over Rn+1

⇥ [0, 1].

6.2.7 Definition (Saddle-point)Let L be a convex-concave function from C⇥D to [�1,+1]. A point (u, v)is a saddle-point of L with respect to minimizing over C and maximizingover D if (u, v) 2 C ⇥D and

8u 2 C, 8v 2 D, L(u, v) L(u, v) L(u, v) .

When we fix v to v, the convex function L, seen as a function of u, achievesits minimum at u = u . Likewise, when we fix u to u, the concave function L,seen as function of v, achieves its maximum at v = v (see Figure 6.1 [wik]).

82


Figure 6.1: Function f(x, y) = x2� y

2, and its saddle-point (0, 0), depictedin red.

The lemma below shows that, whenever a saddle-point exists, one has

sup v2D inf u2C L(u, v) = inf u2C sup v2D L(u, v) = L(u, v) .

The value L(u, v) is called the saddle-value of L.

6.2.8 LemmaLet L be any convex-concave function from a non-empty product set C⇥D to[�1,+1]. A point (u, v) is a saddle-point of L with respect to minimizingover C and maximizing over D if and only if the supremum of the expression

infu2C

L(u, v),

is reached at v, the infimum in the expression

supv2D

L(u, v),

is reached at u, and these two extremes are equal. If (u, v) is a saddle-point,the saddle-value of L is by definition L(u, v).

One can start by fixing v, then computing the infimum of L (as functionof u), and finally maximizing this infimum by varying v; or fixing u, then

83


computing the supremum of L (as function of v), and finally minimizingthis supremum. Both cases need a characterization of the set of points thatoptimize (minimize or maximize) the function L, either with respect to u

or v.The di↵erential theory o↵ers a suitable toolset for characterizing such

set of optimum points, whenever the objective function is a di↵erentiablefunction (a function whose derivative exists at each point in its domain).In our case, the function L of equation (6.2.1) is not di↵erentiable in theusual sense with respect to ↵. Indeed the function can be seen as a sum ofabsolute value functions, which are not di↵erentiable in 0.

Instead, we use a weaker notion of di↵erentiability, called subdi↵erentialtheory, which requires only the convexity of the function. We first remindthe definition of a subgradient, then the subdi↵erential of a convex functionfrom Rn to R at a point x of its domain.

6.2.9 Definition (Subgradient)A vector t is said to be a subgradient of a convex function f at a point x if

8z, f(z) � f(x) + ht, z � xi .

If the function f is di↵erentiable at x, then its subgradient is exactly itsgradient, that is the vector whose components are the partial derivatives ofthe function f , usually denoted by rf :

rfdef= (

@f

@x1

, . . . ,@f

@xn)

evaluated at x.The intuitive geometrical meaning of the subgradient inequality of Def-

inition 6.2.9 for a convex function f : Rn! R at x, is the fact that the

graph of the a�ne function h(z) = f(x) + ht, z � xi is a non-vertical sup-porting hyperplane to the epigraph (reminded hereafter) epi f at the point(x, f(x)).

6.2.10 Definition (Epigraph)Let f be a function whose values are real or ±1 and whose domain is asubset S of Rp. The set

{(x, µ) | x 2 S, µ 2 R, µ � f(x)}

is called the epigraph of f and is denoted by epi f .

In Figure 6.2, we depict the epigraph of the function f : R! R, wheref(x) = x

2, which is a convex set of dimension 2 (the gray area). Since the

84


x

f(x)

1�1

1

2

t = 2

Figure 6.2: epigraph of f(x) = x2

and the unique subgradient at x = 1.

x

f(x)

1

2

1�1

t = 23

t = �12

Figure 6.3: subgradients of f(x) =|x| at x = 0.

function is di↵erentiable, the hyperplane h(z) is the tangent (hyperplanesof dimension 2 are lines) to the graph of the function at a point x; rf atx gives the slope of that tangent at x. Here, this slope is the subgradient tmentioned in Definition 6.2.9.

In Figure 6.3, the absolute value function is not di↵erentiable at 0,however it has infinitely many subgradients at x = 0 (for instance t = 2

3

and t = �1

2). The gray area shows the epigraph of the absolute value

function. Observe that if t is outside [�1, 1], the hyperplane does no moresupport the epigraph.

Since many subgradients may exist at a given point x, the set of thesesubgradients is called the subdi↵erential of f at x.

6.2.11 Definition (Subdi↵erential)The set of all subgradients of f at x is called the subdi↵erential of f at xand is denoted by @f(x). If the set @f(x) is not empty, the function f issaid to be subdi↵erentiable at x.

For instance, for the absolute value function, the subdi↵erential of f at 0is the interval [�1, 1]; whereas, the subdi↵erential elsewhere is the singleton{1} if x is non-negative and {�1} if x is non-positive.

With respect to Definition 6.2.9 of a subgradient, given a convex functionf : Rn

! R, if 0 2 @f(x), the subdi↵erential of f at x, then

8z 2 Rn, f(z) � f(x),

thus, x is a global minimum of the function f . Reciprocally, if x is a globalminimum of the function, by definition, the inequality above holds, whichmakes 0 2 @f(x).

85


Dually, if f is a concave function, then �f : x 7! �f(x), is convex.Therefore, if 0 2 @(�f)(x), then

8z 2 Rn, �f(z) � �f(x),

which makes x a global maximum of the function.For our function L defined in equation (6.2.1), we first prove the exis-

tence of saddle-points.

6.2.12 PropositionThe convex-concave function L defined in equation (6.2.1) has a saddle-point.

Proof. The proof is a direct application of [Roc70, Chapter 37, Theorem37.6], which states that if ı)the functions �L↵(�) : � 2 Rn

7! �L(↵,�), de-fined over ]0, 1[ have no common direction of recession, and ıı) the functionsL�(↵) : ↵ 2 Rn

7! L(↵,�), defined over Rn have also no common direc-tion of recession, then L(↵,�) has a saddle-point. The set of directions ofrecession of a convex function f , is defined by

{y | y 6= 0, 8� � 0, 8x such that f+(x) 0, f+(x+ �y) 0},

where f+ denotes the recession function of f and can be defined by f

+ def=

lim✓!0 ✓f(✓�1x) 1. Since for all ↵ 2 Rn, the domain of �L↵(�) is bounded

(]0, 1[), then condition (ı) is fulfilled. We have

lim✓!0

✓L+

� (✓�1↵) = ��(MX(↵X

� ↵) | B) + (1� �)�(MY (↵Y� ↵)),

then, for all � 2]0, 1[, the set of ↵ such that L+

� (↵) 0 is {0}, and (ıı) isalso satisfied.

Let (↵, �) denote a saddle-point of L. Then, by definition of saddle-points,

8↵ 2 Rn+1, 8� 2 [0, 1], L(↵,�) L(↵, �) L(↵, �),

which makes � a global maximum of the (linear) function

L↵(�) : � 7! L(↵,�), (L↵)

1This formula holds for our case because the hypothesis 0 2 dom f is satisfied for

both functions �L↵(�) and L(↵,�).

86


and ↵ a global minimum of the non-linear convex function

L�(↵) : ↵ 7! L(↵, �) . (L�)

Therefore, we can use the subdi↵erential characterization, namely

0 2 @ � L↵(�) and 0 2 @L�(↵) .

In the sequel, we seek for ↵ 2 Rn+1 and � 2 [0, 1] that satisfy theseconditions. We start with the easier one, that is @L↵(�), and then focus on@L�(↵).

Computing the set @L↵(�), for � 2 [0, 1] is immediate. Since the func-tion L↵(�) is linear, it is di↵erentiable, and its derivative is straightforward:

L↵(�) = �(�(MX(↵X� ↵) | B) + ⌧

X) + (1� �)(�(MY (↵Y� ↵) | B) + ⌧

Y )

= a↵�+ b↵,

where

a↵ = �(MX(↵X� ↵) | B) + ⌧

X� �(MY (↵Y

� ↵) | B)� ⌧Y

b↵ = �(MY (↵Y� ↵) | B) + ⌧

Y.

We have to be cautious with the subdi↵erential of the linear functionat its borders, that is � = 0 and � = 1. Inbetween these borders, thesubdi↵erential matches the di↵erential of the function, that is its slope{a↵}.

Figure 6.4 depicts the epigraph of �L↵(�) (that is �a↵��b↵), and someof its subgradients at � = 0 and � = 1. Observe that the subgradient 0,drawn in horizontal red line, is an element of @ � L↵(1). Indeed, whenthe slope is non-positive (�a↵ < 0), the global minimum of the function isreached at � = 1. Dually, the maximum (which interests us) of L↵(�), thatis a↵�+ b↵, when �a↵ < 0 (or a↵ > 0) is also reached at � = 1.

Thus, we conclude with

@ � L↵(�) =

8<

:

{�a↵} if � 2]0, 1[(�1,�a↵] if � = 0[� a↵,+1) if � = 1

(@)

The proposition below summarizes the characterization of �. For thesake of clarity, we remind the expression of a↵ defined earlier to emphasizethe linearity of L↵(�).

87


�

L↵(�)

1

2

1

Figure 6.4: Subgradients of L↵(�) at � = 0 and � = 1.

6.2.13 PropositionLet a↵ = �(MX(↵X

� ↵) | B) + ⌧X� �(MY (↵Y

� ↵) | B)� ⌧Y , where ↵ is

unknown vector of Rn+1, then

• If a↵ = 0, then � may be any real number within [0, 1].

• However, if a↵ < 0, then necessarily � = 0.

• Finally, if a↵ > 0, then necessarily � = 1.

Proof. The proposition is immediate from the computation of @ � L↵(�)given in equation (@).

The first case indicates that if the slope of the linear function is null,then every point of the domain of the function is a global maximum (orminimum). The two last cases formalize the intuition behind the fact thatif a↵ < 0 (resp. > 0), then the linear function a↵� + b↵ is decreasing (res.increasing), then its global maximum is reached for � = 0 (resp. � = 1).

The proposition 6.2.13 gives the first relation between � and ↵, thetwo components of the saddle-point we seek. The second and non-trivialrelation is derived from 0 2 @L�(↵). We detail hereafter, step by step, theway we derive it.

The remaining di�cult part is the computation of @L�(↵), or moreprecisely, the characterization of ↵, such that the subdi↵erential @L�(↵)contains 0. To this aim, we use a central theorem which links the subgradi-ents to the Fenchel conjugate (see Definition 6.2.14) of a convex function.

88


We define first the Fenchel conjugate of a given convex function, and thenstate, without proof 2, the theorem to be used.

6.2.14 Definition (Conjugate of a Convex Function)Let f be a convex function on Rn. We define the function f

⇤ on Rn, calledthe conjugate of f , by

f⇤(t)

def= sup{hx, ti � f(x) | x 2 Rp

} .

For instance, the support function � we use for the order (see Defini-tion 4.3.1 is the conjugate of the indicator function:

6.2.15 Definition (Indicator Function)Let C be a set of Rn, then

�⇤(x | C)

def=

⇢0 if x 2 C,

+1 if x /2 C.

Clearly, C is a convex set if and only if �(x | C) is a convex function onRp.

Notice that we use the ⇤ notation to denote the conjugate of a givenfunction; There is no operator meaning to the star notation when usedwith functions.

Theorem below shows that the conjugate f⇤ of a convex function f is

at the heart of the characterization of the subdi↵erential of f .

6.2.16 Theorem (Duality and Subgradients)For any proper convex function f and any vector x, the following fourconditions on a vector t are equivalent to each other:

(a) t 2 @f(x);

(b) hz, ti � f(z) achieves its supremum in z at z = x;

(c) f(x) + f⇤(t) hx, ti;

(d) f(x) + f⇤(t) = hx, ti.

2To be concise and focus on our computations, we made the choice to state some well-

known theorem without proofs. Please, refer to Chapter 23, Theorem 23.5, in [Roc70]

for instance, for detailed proofs.

89


A proper convex function means that the epigraph of that function doesnot contain a vertical line, that is a convex function f , where epi f is notempty, has at least one x such that f(x) < +1, and for every x, f(x) >�1. Simple improper convex functions are the functions x 7! +1 andx 7! �1.

The characterization of the set ↵ such that 0 2 @L�(↵) is then a corollaryof Theorem 6.2.16.

6.2.17 CorollaryWe have 0 2 @L�(↵) if and only if

L�(↵) + L�⇤(0) = 0 .

Proof. Once we prove that the function L� is a proper convex function, thecorollary is immediate from Theorem 6.2.16 using the equivalence between(a) and (d) for t = 0. The epigraph of L� is a non-empty subset of Rn+1,the function is finite for at least one ↵, and by definition L� > �1 forevery ↵ 2 Rn.

6.2.18 LemmaThe conjugate of the function L� evaluated at 0, that is L�

⇤(0), is equal to

��(↵X� ↵

Y| �M

X⇤B \ (1� �)MY ⇤

B)� �⌧X� (1� �)⌧Y .

Proof. The proof is mainly an application of properties and operations ofthe Fenchel conjugate of convex functions. The detailed proof is given inappendix B.1.

Corollary 6.2.17, together with Lemma 6.2.18, give the second relationthat puts together ↵ and �.

6.2.19 PropositionVector ↵ such that @L�(↵) contains 0 satisfies:

��(MX(↵� ↵X) | B) + (1� �)�(MY (↵� ↵

Y ) | B) =

�(↵X� ↵

Y| �M

X⇤B \ (1� �)MY ⇤

B) .

The following Theorem summarizes the two main propositions, that isProposition 6.2.13 and Proposition 6.2.19, that establish the relations that↵ and � have to satisfy for (↵, �) to be a saddle-point of L(↵,�).

90


6.2.20 Theorem• If �(MY (↵Y

� ↵X) | B) < ⌧

Y� ⌧

X , then (↵Y, 0) is the unique

saddle-point of L. Its saddle-value is ⌧Y .

• If �(MY (↵Y�↵

X) | B) = ⌧Y� ⌧

X , and ↵Y6= ↵

X , then L admitsinfinitely many saddle-points such that ↵ = ↵

Y . Its saddle-valueis ⌧

Y .

• If �(MX(↵Y� ↵

X) | B) < ⌧X� ⌧

Y , then (↵X, 1) is the unique

saddle-point of L. Its saddle-value is ⌧X .

• If �(MX(↵Y�↵

X) | B) = ⌧X� ⌧

Y , and ↵Y6= ↵

X , then L admitsinfinitely many saddle-points such that ↵ = ↵

X . Its saddle-valueis ⌧

X .

• Otherwise, �(MY (↵Y�↵

X) | B) > |⌧Y�⌧

X| and �(MX(↵Y

�↵X) |

B) > |⌧X� ⌧

Y|, and (↵, �) satisfies:

� 2]0, 1[,

�(MX(↵� ↵X) | B) + ⌧

X = �(MY (↵� ↵Y ) | B) + ⌧

Y,

��(MX(↵� ↵X) | B) + (1� �)�(MY (↵� ↵

Y ) | B) =

�(↵X� ↵

Y| �M

X⇤B \ (1� �)MY ⇤

B) .

Proof. The proof is mainly a discussion about the combination of Propo-sitions 6.2.19 and 6.2.13. The lengthy detailed proof can be found in ap-pendix B.2.

Theorem 6.2.20 is not su�cient to compute automatically the saddle-points of L whenever �(MY (↵Y

�↵X) | B) > |⌧

Y�⌧

X| and �(MX(↵Y

�↵X) |

B) > |⌧X� ⌧

Y|. It gives instead a system of equations that have to be sat-

isfied by the saddle-points. Observe that in the last case of Theorem 6.2.20,� /2 {0, 1}, as this violates the hypothesis of that case. The next sectionfocuses on solving these equations while presenting an algorithm which re-turns a saddle-point of L.

91


Computation of the Set of Mubs that Minimize thePerturbation

Let � be a fixed element of ]0, 1[, and u� be a vector of �MX⇤B \ (1 �

�)MY ⇤B such that

h↵X� ↵

Y, u�i = �(↵X

� ↵Y| �M

X⇤B \ (1� �)MY ⇤

B) .

The vector u� exists as the convex �MX⇤

B \ (1 � �)MY ⇤B is not empty

(contains at least {0}). We know, by definition of the saddle-point, that� maximizes L↵ defined in equation L↵. So our approach is twofold: wefirst seek the pair (�, u�) that maximizes L↵; we then deduce ↵. Sincethe expression of L↵ depends on ↵, we need to overcome such dependency.This can be done by using the definition of u�, as introduced above. IndeedL↵(�) = L(↵, �), which gives

L↵(�) = h↵X� ↵

Y, u�i+ �⌧

X + (1� �)⌧Y .

Therefore, � is the optimal solution of the following non-linear optimizationproblem:

max h↵X� ↵

Y, u�i+ �⌧

X + (1� �)⌧Y

s.t. 0 < � < 1

u� 2 �MX⇤

B \ (1� �)MY ⇤B

(P)

Solving (P)

The dimension of (P) is n+2 since the unknown vector u� is an element ofRn+1. To solve (P), we first reduce the dimension of the problem from n+2to 2. We hence obtain a much simpler non-linear optimization problemdefined then solved at the end of this section.

We start with our running example 6.2.6 to bring closer the idea weapply later to the general case. Let u� = (u0, u1, u2)⇤, the constraint u� 2

�MX⇤

B \ (1� �)MY ⇤B is equivalent to

��1M

X⇤�1

u� 2 B and (1� �)�1M

Y ⇤�1

u� 2 B .

The inverses of � and (1��) are finite since � is within ]0, 1[. The matricesM

X and MY are non-singular as we are restricted to the case where all

deviations of the interval concretisations of noise symbols are not null. Werecall the matrices MX and M

Y :

MX =

0

@1 �0.5 0.250 0.5 00 0 0.25

1

A , MY =

0

@1 0 0.50 0.5 00 0 0.5

1

A .

92


which gives

MX⇤�1

=

0

@1 0 01 2 0�1 0 4

1

A , MY ⇤�1

=

0

@1 0 00 2 0�1 0 2

1

A ,

and one has:

��1M

X⇤�1

u� 2 B ()

8<

:

�� u0 �

�� u0 + 2u1 �

�� u0 + 4u2 �

and

(1� �)�1M

Y ⇤�1

u� 2 B ()

8<

:

�(1� �) u0 (1� �)�(1� �) 2u1 (1� �)�(1� �) �u0 + 2u2 (1� �)

Combined together these constraints lead to

max{��,�(1� �)} u0 min{�, (1� �)}

max{��u02

,�(1��)

2} u1 min{��u0

2,1��2}

max{��+u04

,�(1��)+u0

2} u2 min{�+u0

4,(1��)+u0

2}

or equivalently, using only the min operator (max{a, b} = �min{�a,�b}):

�min{�, (1� �)} u0 min{�, (1� �)}

�min{�+u02

,(1��)

2} u1 min{��u0

2,1��2}

�min{��u04

,(1��)�u0

2} u2 min{�+u0

4,(1��)+u0

2} .

We also know that ↵X0� ↵

Y0= 1� 2 = �1, ↵X

1� ↵

Y1= �1� 1 = �2, and

↵X2�↵

Y2= 2� 1 = 1 and that ⌧X = ⌧

Y = 0. We can now explicit an upperbound of h↵X

� ↵Y, u�i + �⌧

X + (1 � �)⌧Y by substituting u1 and u2 bytheir respective upper bounds:

h↵X� ↵

Y, u�i+ �⌧

X + (1� �)⌧Y

=� u0 � 2u1 + u2 + 0 + 0

� u0 + 2min{�+ u0

2,(1� �)

2}+min{

�+ u0

4,(1� �) + u0

2} .

This upper bound is reached whenever

u1 = �min{�+ u0

2,(1� �)

2} , u2 = min{

�+ u0

4,(1� �) + u0

2} .

93


Thus, instead of maximizing h↵X�↵

Y, u�i+�⌧

X +(1��)⌧Y , which is ouroriginal objective function, we maximize its (attained) upper bound. Thisends the dimension reduction step: the original problem has a dimensionof n+ 2 = 2+ 2 = 4, the variables involved are (u0, u1, u2) and �. Now theproblem we obtain has only 2 unknowns, namely u0 and �, and the feasibleregion is defined by

0 < � < 1 , �min{�, (1� �)} u0 min{�, (1� �)} .

We formalize the general case of the dimension reduction step exempli-fied above. Then, we continue solving our running example before formal-izing the general case of the newly reduced optimization problem.

6.2.21 Proposition (Dimension Reduction)Let the pair (�, u�) be a solution to the optimization problem (P). Let ui

denote the ith component of the vector u�. Then ui, 1 i n, satisfies

ui =

8>>>>>><

>>>>>>:

min{� dev(✏Xi ) + mid(✏Xi )u0, (1� �) dev(✏Yi ) + mid(✏Yi )u0},

if sign(↵Xi � ↵

Yi ) = 1,

�min{� dev(✏Xi )�mid(✏Xi )u0, (1� �) dev(✏Yi )�mid(✏Yi )u0},

if sign(↵Xi � ↵

Yi ) = �1,

any real number ,

if ↵Xi = ↵

Yi .

where the pair (�, u0) is a solution of the following optimization problem

max ⌧Y + (↵X

0� ↵

Y0)u0 + (⌧X � ⌧

Y )�+nX

i=1

|↵xi � ↵

yi |ui

s.t. 0 < � < 1

�min{�, (1� �)} u0 min{�, (1� �)}

(Pr)

The coordinates ui, 1 i n, are defined as ui by substituting � with �

and u0 by u0.

Proof. The proof is a generalization of the computations previously done.The inverse of matrix M

⇤ is

M⇤�1

(i,j) =

8>>><

>>>:

1 if i = 1 and j = 1,�M(i,1)

M(i,i)if i 6= 1 and j = 1,

1

M(i,i)if i 6= 1 and j = i,

0 otherwise

94


Let ui, 0 i n, denote the ith component of the vector u�. From theconstraints �

�1M

X⇤�1

u� 2 B, and (1 � �)�1M

Y ⇤�1

u� 2 B we deducean (attained) upper bound for each component ui, i � 1, function of u0

(the first component) and �, and an additional condition on u0 and � :|u0| min{�, (1 � �)}. Using these upper bounds, we over-approximatethe objective function of (P), which involves in turn only two unknowns u0

and �. Therefore, the total dimension of the problem is reduced from n+ 2initially to 2 in (Pr).

The objective function of the optimization problem (Pr), denoted byf(u0,�), has the form:

f(u0,�)def= ⌧

Y +↵0u0+(⌧X�⌧Y )�+

nX

i=1

↵i min{ai�+biu0, a0i(1��)+b

0iu0}

where ↵0

def= ↵

X0�↵

Y02 R, (↵i)1in are positive real numbers, 0 < ai, a

0i

1, and �1 < bi, b0i 1. The feasible region is draw in Figure 6.5.

The function f(u0,�) is concave: it is defined as a sum of concave func-tions, fi,

fi : (u0,�) 7! ↵i min{ai�+ biu0, a0i(1� �) + b

0iu0}

and a linear function, f0,

f0 : (u0,�) 7! ⌧Y + (↵X

0� ↵

Y0)u0 + (⌧X � ⌧

Y )� .

Each concave function fi, 1 i n reaches its maximum necessarily onthe line Li

Lidef= {(�, u0) | ai�+ biu0 = a

0i(1� �) + b

0iu0}, (Li)

that is, when the operands of the min operator are equal. Now, eachline (Li) that intersects the feasible region divides that feasible region intotwo regions. In each region, the function fi is a linear function since themin operator is evaluated to one of each both operands. Therefore, thelines (Li) that intersect the feasible region define a tiling of polygons; ineach polygon the objective function f is an a�ne function. It is well-knownthat an a�ne function defined over a bounded polytope achieves its maxi-mum at at least one vertex of that polytope. The function f reaches thenits maximum at least at one of the vertices defined by the polygons’ tilingitself defined by the set of (Li) lines.

95


For our running example, using Proposition 6.2.21, the problem (Pr) is

max � u0 + 2min{�+ u0

2,1� �

2}+min{

�+ u0

4,1� �+ u0

2}

s.t. 0 < � < 1

|u0| min{�, (1� �)}

Figure 6.6 depicts the feasible region (gray diamond), as well as thepolygons’ tiling defined by the lines L1 and L2 (see equation Li):

L1

def= {(�, u0) | �+ u0 = (1� �}

L2

def= {(�, u0) | �+ u0 = 2(1� �+ u0)}

We obtain 6 feasible vertices, and denote between parentheses, for eachvertex, the evaluation of the objective function of (Pr). In this example,the optimal value 0.7 is reached by a unique vertex, which is the optimalsolution, (� = 0.6, u0 = �0.2), defined by the intersection of lines L1 andL2. Since sign(↵X

1� ↵

Y1) = �1 and sign(↵X

2� ↵

Y2) = 1, we deduce u1 and

u2 from Proposition 6.2.21

u1 = �min{�+ u0

2,1� �

2} = �min{0.4, 0.2} = �0.2

u2 = min{�+ u0

4,1� �+ u0

2} = min{0.1, 0.1} = 0.1 .

Algorithm 1 solves problem (Pr) then gives an optimal solution to theproblem (P), in the general case. The set {Bk}1k4 denotes the equationsof the four borders of the feasible region:

B1

def= {(�, u0) | u0 + � = 0} B2

def= {(�, u0) | u0 � (1� �) = 0}

B3

def= {(�, u0) | u0 + (1� �) = 0} B4

def= {(�, u0) | u0 � � = 0} .

The set V denotes the set of vertices of the polygons’ tiling. It is initially setto {(1

2,1

2), (1

2,�1

2)}, the two unique feasible vertices of the feasible region.

The first for loop (line 3) goes through the given list of all Li lines. If theintersection of Li and the borders {Bk}1k4 (line 4) of the feasible regionis feasible, we store the vertex in V . We then compute all the intersectionsof the line Li with the other lines Lj such that i 6= j (line 8). For eachvertex v = (v0, v1) in V (line 14), we evaluated the objective function f

using an external routine evalf (lines 13 and 16). The algorithm updatesthe variable objval with the greatest value of f (line 18) and the temp

96


�

u0

10

1

2

�1

2

Figure 6.5: The feasible region ofthe optimization problem (Pr). Thepoints (0, 0) and (1, 0) are not feasi-ble.

�

u0

L1

L2

(0.5)

(0.25)

(0.25)(0.5)

(0.66)(0.7)

Figure 6.6: The evaluation of the ob-jective function of (Pr) at each ver-tex.

variable t with the last vertex for which this objective value is reached(line 19). The final for loop (line 21) assigns the value of ui, 1 i n

using Proposition 6.2.21. We finally return the objective value objval, aswell as (�, u�) an optimal solution to the problem (P).

6.2.22 PropositionAlgorithm 1 has a complexity of O(n3) in the worst case, where n denotesthe number of the Li lines (or equivalently the number of noise symbols).

Proof. The cardinal of the set of intersections of an arrangement of n linesis equal to n(n�1)

2in the worst case. Thus, we have to evaluate the objective

function at (2n+2+ n(n�1)

2) = n2

+3n+4

2vertices in the worst case: 2n for the

intersections of the n lines with the borders of the feasible region, 2 for thevertices (1

2,1

2) and (1

2,�1

2), and n(n�1)

2for the intersections of the Li lines

themselves. The evaluation of the objective function on each point needs in

97


Algorithm 1: Solving (P)

input : A set of lines {Li}1in, {Bk}1k4, {↵Xi � ↵

Yi }0in, ⌧X

and ⌧Y .

output: optval, the optimal value of (P), and (�, u�) an optimalsolution of (P).

1 l � 0;2 V � {(1

2,1

2), (1

2,�1

2)};

3 for i 1 to n do4 for k 1 to 4 do5 if (Li \Bk) is feasible then6 V � V [ (Li \Bk);7 l � l + 1;

8 for j i+ 1 to n do9 if Li 6= Lj and (Li \ Lj) is feasible then

10 V � V [ (Li \ Lj);11 l � l + 1;

12 v � V [0];13 objval � evalf({↵X

i � ↵Yi }0in,⌧X ,⌧Y ,v0,v1);

14 for i 1to l � 1 do15 v � V [i];16 f � evalf({↵X

i � ↵Yi }0in,⌧X ,⌧Y ,v0,v1);

17 if f � objval then18 objval � f ;19 (t0, t1) � V [i];

20 � � t0;21 for i � 1to n do22 if ↵

Xi � ↵

Yi � 0 then

23 ui

min{� dev(✏Xi ) + mid(✏Xi )u0, (1� �) dev(✏Yi ) + mid(✏Yi )u0};

24 else25 ui

�min{� dev(✏Xi )�mid(✏Xi )u0, (1� �) dev(✏Yi )�mid(✏Yi )u0};

26 u� � (t1, u1, . . . , un);27 return objval,�,u�;

98


the worst case n operations. The total number of operations, in the worstcase, is then n3

+3n2+4n

2.

Deducing ↵

This section details the second step towards computing automatically asaddle-point of the function (6.2.1) whenever the conditions �(MY (↵Y

�

↵X) | B) > |⌧

Y� ⌧

X| and �(MX(↵Y

� ↵X) | B) > |⌧

X� ⌧

Y| hold.

Theorem 6.2.20 characterizes the set of saddle-points as the set of solutionsto the equations:

ı) �(MX(↵� ↵X) | B) + ⌧

X = �(MY (↵� ↵Y ) | B) + ⌧

Y,

ıı) ��(MX(↵� ↵X) | B) + (1� �)�(MY (↵� ↵

Y ) | B) =

�(↵X� ↵

Y| �M

X⇤B \ (1� �)MY ⇤

B) .

The previous section was dedicated to the computation of � as well as u�

such that u� 2 �MX⇤

B \ (1� �)MY ⇤B and

h↵X� ↵

Y| u�i = �(↵X

� ↵Y| �M

X⇤B \ (1� �)MY ⇤

B) .

In the sequel we deduce ↵ from � and u�.

6.2.23 PropositionThe vector ↵ satisfies

�(↵� ↵X| �M

X⇤B) = h↵X

� ↵, u�i

�(↵� ↵Y| (1� �)MY ⇤

B) = h↵� ↵Y, u�i .

Proof. Since, u� 2 �Mx⇤B

X1, and by definition of the support function, we

haveh↵

X� ↵, u�i �(↵X

� ↵ | �MX⇤

B), (6.2.2)

Similarly, we have u� 2 (1� �)MY ⇤B, which gives

h↵� ↵Y, u�i �(↵� ↵

Y| (1� �)MY ⇤

B) . (6.2.3)

The strict inequality in the equation 6.2.2 or the equation 6.2.3 leads, bysumming the two inequalities, to the strict inequality

h↵X�↵, u�i+h↵�↵

Y, u�i < �(↵X

�↵ | �Mx⇤B)+�(↵�↵Y

| (1��)MY ⇤B)

99


By the linearity of the scalar product, the right hand side of the inequalityabove is equal to h↵X

� ↵Y, u�i. By definition of u�,

h↵X� ↵

Y| u�i = �(↵X

� ↵Y| �M

X⇤B \ (1� �)MY ⇤

B) .

and by 6.2.20, ıı, we have

��(MX(↵� ↵X) | B) + (1� �)�(MY (↵� ↵

Y ) | B) =

�(↵X� ↵

Y| �M

X⇤B \ (1� �)MY ⇤

B) .

thus, the right hand side of the inequality above is also equal to h↵X�↵

Y, u�i,

which is impossible. Therefore, the equalities

�(↵� ↵X| �M

X⇤B) = h↵X

� ↵, u�i

�(↵� ↵Y| (1� �)MY ⇤

B) = h↵� ↵Y, u�i

hold necessarily.

These equalities together with the equality (ı) of Theorem 6.2.20 restrictthe vector ↵ to the following hyperplane.

6.2.24 PropositionThe vector ↵ lies in the hyperplane defined by

h↵, u�i = h(1� �)↵X + �↵Y, u�i � �(1� �)⌧Y + �(1� �)⌧X .

Proof.

(by equality (ı) of Theorem 6.2.20.)

�(MX(↵� ↵X) | B) + ⌧

X = �(MY (↵� ↵Y ) | B) + ⌧

Y

(using Proposition 6.2.23.)

() ��1h↵

X� ↵, u�i+ ⌧

X = (1� �)�1h↵� ↵

Y, u�i+ ⌧

Y

(multiply by �(1� �).)

() h(1� �)(↵X� ↵), u�i+ �(1� �)⌧X = h�(↵� ↵

Y ), u�i+ �(1� �)⌧Y .

The result is then deduced by linear properties of the inner product.

100


Moreover, the equalities of Proposition 6.2.23 imply interesting con-straints on the components of the vector ↵, namely they determine the signvector of the vectors M

X(↵X� ↵) and M

Y (↵ � ↵Y ). A sign vector of a

vector v 2 Rn is a vector of Rn defined by (sign(v1), . . . , sign(vn)), the signof 0 is undefined and can be any real number (which means that we mayhave more than one sign vector for a given vector v).

6.2.25 PropositionThe vector �

�1M

X⇤�1

u� is a sign vector of MX(↵X� ↵). That is:

(��1M

X⇤�1

u�)i = 1 =) (�MX(↵X� ↵))i � 0

(��1M

X⇤�1

u�)i = �1 =) (�MX(↵X� ↵))i 0

(��1M

X⇤�1

u�)i 6= {�1, 1} =) (�MX(↵X� ↵))i = 0

Similarly, the vector ((1� �)�1M

Y ⇤�1

u�)i is a sign vector of MY (↵� ↵Y ),

and

((1� �)�1M

Y ⇤�1

u�)i = 1 =) ((1� �)MY (↵� ↵Y ))i � 0

((1� �)�1M

Y ⇤�1

u�)i = �1 =) ((1� �)MY (↵� ↵Y ))i 0

((1� �)�1M

Y ⇤�1

u�)i 6= {�1, 1} =) ((1� �)MY (↵� ↵Y ))i = 0 .

Proof. We only detail the case of MX(↵X� ↵), the second one, concerning

MY (↵� ↵

Y ), is similar by substituting X by Y and � by 1� �.We know that the support function of a vector v over the ball B is equal

to the taxicab norm of the vector v, and that the latter, by definition, isequal to the sum of the terms vi sign(vi):

�(v | B) = kvk1 =nX

i=1

vi sign(vi) = hv, sign(v)i .

The vector sign(v) is unique up to the null component vi of v, that is,if w is another sign vector of v, whenever the sign of vi is well defined(vi 6= 0), wi = sign(vi). We use this property in what follows while taking�M

X(↵X� ↵) as our vector “v”. We have

h�MX(↵X

� ↵), ��1M

X⇤�1

u�i = h↵X� ↵, u�i (inner product properties)

= �(↵X� ↵ | �M

X⇤B) (Proposition 6.2.23)

= �(�MX(↵X� ↵) | B)(Proposition A.0.5)

Thus, ��1M

X⇤�1

u� is a sign vector of �MX(↵X� ↵).

101


Proposition 6.2.25 deduces from the equalities of Proposition 6.2.23 aset of constraints that the components of the vector ↵ have to satisfy. Theseconstraints may be simplified using the fact that � and (1� �) are positivereal numbers and the sparse form of the matrices M

X and MY . Indeed,

entries of these matrices are all zero except for the first line and the maindiagonal. Moreover, all entries of the latter are positive real numbers (thedeviations of the interval concretisations of noise symbols).

6.2.26 PropositionIf ./ denotes an element of {,=,�}, then (�MX(↵X

� ↵))i ./ 0 if andonly if

⇢(↵X

0� ↵0) +

Pni=1

mid(✏Xi )↵i ./ 0, if i = 0,↵Xi � ↵i ./ 0, if 1 i n

.

Similarly, ((1� �)MY (↵� ↵Y ))i ./ 0 if and only if

⇢�(↵Y

0� ↵0)�

Pni=1

mid(✏Yi )↵i ./ 0, if i = 0,↵i � ↵

Yi ./ 0, if 1 i n

.

We apply Propositions 6.2.24 and 6.2.25 to our running example. We re-call, from the previous section, that � = 0.6 and u� = (�0.2,�0.2, 0.1).Proposition 6.2.24 gives the following hyperplane

�0.2↵0 � 0.2↵1 + 0.1↵2 + 0.22 = 0 .

Proposition 6.2.25 and the equivalences of Proposition 6.2.26 give

8>><

>>:

�1 < ↵1 < 11 < ↵2 < 2�↵0 + 0.5↵1 � 0.25↵2 + 2 = 0↵0 + 0.5↵2 � 2.5 = 0

The unique vector ↵ that satisfies the above constraints is (1.7, 0.2, 1.6),which in consequence gives ⌧Z = L(↵, �) = 0.7 (the objective value of theoptimization problem P). Thus

Z = ((1.7, 0.2, 1.6), 0.7, 1⇥ [�1, 0.5]⇥ [0, 1])

is a mub of X and Y ; the perturbation 0.7 is the least perturbation possiblefor any upper bounds of X and Y .

102


So far, we have characterized ↵ by a system of liner equations, givenby Propositions 6.2.26 and 6.2.24, that the components of ↵ have to sat-isfy. We can use any linear solver to pick up a solution (which exists,because a saddle-point exists). The pseudo-algorithm 2 summarizes thesteps needed to compute a minimal upper bound of two given CAF. Theroutine matrixOf used in lines 1 and 2 computes the matrices M

X andM

Y related to �X✏ and �Y

✏ respectively. Routines init and solve (lines 13and 14 respectively) are used to initialize then solve the problem (P).

Algorithm 2: Computing a mub

input : Two CAF X = (↵X, ⌧

X,�X

✏ ) and Y = (↵Y, ⌧

Y,�Y

✏ ).output: A CAF Z mub of X and Y .

1 MX � matrixOf(�X

✏ );2 M

Y � matrixOf(�Y

✏ );3 if kMX(↵X

� ↵Y )k1 ⌧

Y� ⌧

X then4 �Z

✏ � �Y✏ ;

5 ↵ � ↵Y ;

6 objval � ⌧Y ;

7 else if kMY (↵X� ↵

Y )k1 ⌧X� ⌧

Y then8 �Z

✏ � �X✏ ;

9 ↵ � ↵X ;

10 objval � ⌧X ;

11 else12 �Z

✏ � �X✏ [ �

Y✏ ;

13 init( (P),↵X,↵

Y, ⌧

X, ⌧

Y,M

X,M

Y );14 (objval, �, u�) � solve (P); /* defined in algorithm 1 */15 ↵ � LP ((6.2.24), (6.2.26)); /* use a LP Solver */

16 return (↵, objval,�Z✏ );

Handling Reduced Intervals

If the interval concretisation of one noise symbol is reduced to a point,then the deviation of that interval is zero and matrix M

X is no longer non-singular. Thus we can not apply immediately our previously detailed mubcomputation. On the other hand, we may lose some relations if we replacethe noise symbol by its unique value. We detail the latter remark in thefollowing example, explain how we would like to handle these particular

103


cases, and finally clarify how our mub computation can be extended tothese cases with almost no extra e↵ort.

6.2.27 ExampleSuppose we have two CAF, X = ((1,�1), 0, 1⇥[1, 1]), and Y = ((2, 1), 0, 1⇥

[�1,�1]). We would like to compute a minimal upper bound of X and Y .

Since ✏1 has a unique value in both a�ne forms, they can be sim-plified by considering the actual value of the noise symbol. This givesX

0 = ((0, 0), 0, 1 ⇥ [1, 1]), and Y0 = ((1, 0), 0, 1 ⇥ [�1,�1]). In fact, with

respect to the order 1⇥2, X ⇠ X0, and Y ⇠ Y

0. The order is insensitiveto such subtleties, it does not make di↵erence between X and X

0, or Y andY

0, or any similar case involving reduced intervals. However, consideringthese fixed noise symbols rather than replacing them by their respectivevalues increases the accuracy of computations. The unique mub obtainedusing algorithm 2 for X 0 and Y

0 is Z 0 = (0.5, 0.5, 1⇥ [�1, 1]). The minimalperturbation for these a�ne forms is 0.5. Moreover, the relation with ✏1 islost: the central part has only a center equal to 0.5 without any dependencyto ✏1.

However, we could hope for a better result, which keeps the relationand at the same time reduces the perturbation. For instance, considerZ = ((0.5,�0.5), 0, 1⇥ [�1, 1]):

• Z is an upper bound. Indeed, with respect to 1⇥2, X Z: 1 2[�1, 1], and

�((1,�1)� (0.5,�0.5) | [�1, 1]⇥ [1, 1]) = �(

✓1 10 0

◆(0.5,�0.5) | B)

= �(0|B) = 0 0 = ⌧Z� ⌧

X.

Similarly, Y Z.

• Z is a minimal upper bound. Indeed if T is an upper bound such thatT 1⇥2 Z, than necessarily, ⌧Z = ⌧

T = 0 and |0.5�↵T0|+|�0.5�↵T

1| =

0, thus T = Z.

• There is no new perturbation noise symbol, the perturbation of Zremains null.

• The a�ne form of Z, that is 0.5� 0.5✏1, is exactly equal to the a�neform of X, 1 � ✏1, when ✏1 = 1 (both are equal to 0). Likewise, thea�ne form of Z, is equal to the a�ne form of Y , 1, when ✏1 = �1(both are equal to 1).

104


Observe also that Z 1⇥2 Z0. In fact, Z 0 is a mub of X 0 and Y

0, but isonly an upper bound (it is not minimal) of X and Y . Whereas Z is a mubof X and Y . The a�ne set X 0 can be considered as an over-approximationof X (even if both are equivalent with respect to 1⇥2) as the symbol ✏1gets lost.

We present in the sequel how to handle these reduced intervals, withoutlosing their respective noise symbols while keeping our specification andalgorithm detailed in the previous section.

Matrix M related to a box �✏, is defined as previously except that now,the deviation of a reduced interval ✏i is set by convention to �1. Observethat this convention leaves matrix M non-singular. To absorb the e↵ect ofthis “�1” during the computation, the ith component of the unit ball Bis set to 0 instead of [�1, 1]. Thus, to a CAS X, we associate BX . Giventwo CAS X and Y , the set of indices such that the coordinates of BX arenull and BY are not null is denoted by I

X . The set of indices such thatthe coordinates of BY are null and BX are not is denoted by I

Y . The setof indices of coordinates such that both BX and BY are null is denoted byIXY . Finally, the set of indices of coordinates such that both BX and BY

are not null is denoted by J . For instance, in example 6.2.27, matrix MX

related to 1⇥ [1, 1], is�1 10 �1

�, whereas BX = [�1, 1]⇥ 0.

Saddle-points Theorem 6.2.20 remains unchanged as the matrices MX

and MY are non-singular. One just needs to replace B by BX when X is

involved and do the same thing for Y . For instance, instead of �MX⇤B \

(1� �)MY ⇤B, we obtain �M

X⇤BX\ (1� �)MY ⇤

BY .

Problem (P) needs to consider whether or not the coordinate of BX andBY are null. So in Proposition 6.2.21: if the i 2 I

X , then ui = u0 mid(✏Xi ),similarly ui is enforced to u0 mid(✏Yi ) if i 2 I

Y . If i 2 IXY , then both

conditions hold, which makes u0 null if mid(✏Xi ) 6= mid(✏Yi ).

Problem (Pr) is in consequence also a↵ected. It keeps the same genericformulation but with more constraints for u0 and �: |u0| �� and |u0|

✓(1� �), where,

�def= min{1,

⇣ dev(✏Yi )

|mid(✏Xi )�mid(✏Yi )|

⌘

i2Ix}(1� �),

✓def= min{1,

⇣ dev(✏Xi )

|mid(✏Xi )�mid(✏Yi )|

⌘

i2IY}� .

105


�

u0

��✓(1�

�)

10

1

2

�1

2

Figure 6.7: The feasible region of the extended optimization problem (Pr).The points (0, 0) and (1, 0) are not feasible.

Since for i 2 IX[I

Y[I

XY , ui is well known (function of u0), the coe�cientof u0 in the objective function of (Pr) becomes

(↵X0� ↵

Y0) +

X

i2IX(↵X

i � ↵Yi )mid(✏Xi )

+X

i2IY(↵X

i � ↵Yi )mid(✏Yi ) +

X

i2IXY

(↵Xi � ↵

Yi )mid(✏Xi ) .

The solving algorithm 1 remains unchanged. The feasible region is no longera perfect diamond minus (0, 0) and (1, 0), but a diamond like shape (Fig-ure 6.7). The slopes of the borders are � and ✓.

Deducing ↵ Proposition 6.2.25 is valid for all coordinates i /2 IX for

MX(↵X

� ↵), and for all i /2 IY for MY (↵�↵

Y ). For i 2 IX (resp. IY ), the

fact that the ith coordinate of BX (resp. BY ) is null adds no constraintfor ↵ to respect. Proposition 6.2.24 remains unchanged.

We apply the pseudo-algorithm 2 to our motivating example 6.2.27,with respect to the adds detailed above. We have BX = BY = [�1, 1]⇥ 0.By Theorem 6.2.20 we have to solve (P). We have I

X = IY = J = ;,

106


IXY = {1}. Since, mid(✏X1 ) = 1 6= �1 = mid(✏Y1 ), then u0 = u1 = 0, the

objective function of (Pr) is zero (so the perturbation of the mub is also

null), and � 2]0, 1[. By Propositions 6.2.25, ��1M

X⇤�1

u� is a sign vector ofM

X(↵X� ↵), since u� is null, the sign vector is null, for all i /2 I

X the ith

component of MX(↵X� ↵) is null. Similarly for (1� �)�1

MY ⇤�1

u� whichis also null. This gives the system:

⇢1� ↵

Z0+ (�1� ↵

Z1) = 0

↵Z0� 2� (↵Z

1� 1) = 0

Proposition 6.2.24 adds no more constraints for ↵ to respect. The systemabove gives ↵Z

0= 0.5 and ↵

Z1= �0.5, and Z = ((0.5,�0.5), 0, 1 ⇥ [�1, 1]),

which is the mub announced earlier.

Application: Join over Perturbed A�ne Forms

The Perturbed A�ne Sets introduced by Goubault and Putot [GP08, GP09]are a particular case of Constrained A�ne Sets, where noise symbols are ab-stracted by the unit boxB, that is all noise symbols lie always within the in-terval [�1, 1]. The join operator defined over Perturbed A�ne Forms [GP08]and Perturbed A�ne Sets are revisited here as an application of our resultsestablished for CAS.

6.2.28 DefinitionA Perturbed A�ne Set, or PAS, is a CAS X = (CX

, PX,�X), where �X =

B.

Since �X is always equal to B and is independent from the abstract objectX, we denote a PAS by the pair of matrices (CX

, PX). Moreover, matrix

MX related to �X = B is the identity matrix In+1.By Lemma 4.3.3, the order relation 1⇥2 gives:

6.2.29 Proposition (Partial Order over PAS)Given two PAS, X = (CX

, PX) and Y = (CY

, PY ), we have X 1⇥2 Y if

and only if

8t 2 Rp, �(t | (CX

� CY )B) �(t | P YB)� �(t | PXB) .

Proof. Immediate application of Lemma 4.3.3 for �X = �Y = B.

107


As already mentioned, �(x | B) = kxk1. The reformulation of Proposi-tion 6.2.29 using this identity gives

8t 2 Rp, k(CX

� CY )⇤tk1 kP

Y ⇤tk1 � kP

X⇤tk1 .

which is exactly the order defined in [GP09, Definition 2], up to the trans-pose operation of matrices (CX

�CY ), PX and P

Y . The set of saddle-pointsin this particular case is deduced from Theorem 6.2.20.

6.2.30 Corollary• If �(↵Y

� ↵X| B) < ⌧

Y� ⌧

X , then (↵Y, 0) is the unique saddle-point

of L. Its saddle-value is ⌧Y .

• If �(↵Y�↵

X| B) = ⌧

Y� ⌧

X , and ↵Y6= ↵

X , then L admits infinitelymany saddle-points such that ↵ = ↵

y. Its saddle-value is ⌧Y .

• If �(↵Y�↵

X| B) < ⌧

X� ⌧

Y , then (↵X, 1) is the unique saddle-point

of L. Its saddle-value is ⌧X .

• If �(↵Y�↵

X| B) = ⌧

X� ⌧

Y , and ↵Y6= ↵

X , then L admits infinitelymany saddle-points such that ↵ = ↵

X . Its saddle-value is ⌧X .

• Otherwise, �(↵Y�↵

X| B) > |⌧

Y� ⌧

X|, and (↵, �) satisfies � 2]0, 1[,

and

ı) �(↵� ↵X| B) + ⌧

X = �(↵� ↵Y| B) + ⌧

Y,

ıı) ��(↵� ↵X| B) + (1� �)�(↵� ↵

Y| B)

= �(↵X� ↵

Y| �B \ (1� �)B) .

Proof. Apply Theorem 6.2.20 for MX = M

Y = In+1.

When �(↵Y� ↵

X| B) > |⌧

Y� ⌧

X|, we establish that the value of � is

necessarily equal to 1

2, which permits to compute the saddle-value.

6.2.31 PropositionIf �(↵Y

� ↵X| B) > |⌧

Y� ⌧

X|, then � = 1

2, and ↵ satisfies:

ı) �(↵� ↵X| B) + ⌧

X = �(↵� ↵Y| B) + ⌧

Y,

ıı) �(↵� ↵X| B) + �(↵� ↵

Y| B) = �(↵X

� ↵Y| B) .

The saddle-value of L is equal to

1

2(�(↵X

� ↵Y| B) + ⌧

X + ⌧Y )

.

108


Proof. Suppose that � = 1

2, the system of equations satisfied by ↵ is the

same of Corollary 6.2.30 for � = 1

2. The saddle-value, L(↵, �), is equal to

(by Equation 6.2.1)):

L(↵, �) =1

2(�(↵� ↵

X| B) + ⌧

X) +1

2(�(↵� ↵

Y| B) + ⌧

Y )

=1

2(�(↵� ↵

X| B) + �(↵� ↵

Y| B) + ⌧

Y + ⌧X) (Corol. 6.2.30, ı)

=1

2(�(↵X

� ↵Y| B) + ⌧

Y + ⌧X)) (Corol. 6.2.30, ıı)

It remains to prove that � = 1

2. The set �B\(1��)B is equal to min{�, (1�

�)}B. The constant min{�, (1� �)} is positive, using the fact that if � � 0,�(x | �C) = ��(x | C) (see for instance [Roc70, Theorem 16.1.1]), we thenhave

�(↵X� ↵

Y| �B \ (1� �)B) = min{�, (1� �)}�(↵X

� ↵Y| B),

we next use the triangle inequality of the support function:

min{�, (1� �)}�(↵X� ↵

Y| B)

min{�, (1� �)}�(↵X� ↵ | B) + min{�, (1� �)}�(↵� ↵

Y| B) .

By Corollary 6.2.30, equation ıı), �(↵X� ↵

Y| �B \ (1� �)B) is equal to

�(�(↵X� ↵ | B)) + (1� �)(�(↵Y

� ↵ | B)), thus the inequality becomes:

(��min{�, (1� �)})�(↵X� ↵ | B)

+ ((1� �)�min{�, (1� �)})�(↵� ↵Y| B) 0, (6.2.4)

which makes the sum of two positive terms non-positive, therefore each termis necessarily equal to zero:

(��min{�, (1� �)})�(↵X� ↵ | B) = 0 (6.2.5)

((1� �)�min{�, (1� �)})�(↵� ↵Y| B

1+n) = 0 (6.2.6)

The equation (6.2.5) gives � = min{�, (1� �)} (that is � 1

2) or ↵ = ↵

X .If ↵ = ↵

X , then Corollary 6.2.30, equation ı), contradicts the hypothesis�(↵Y

� ↵X| B) > |⌧

X� ⌧

Y|, as it makes �(↵Y

� ↵X| B) = ⌧

X� ⌧

Y .Likewise, the equation (6.2.6) gives (1 � �) = min{�, (1 � �)} (that is

� �1

2) or ↵ = ↵

Y . The latter also contradicts the hypothesis.Finally, � � 1

2and �

1

2, that is � = 1

2.

109


Instead of proving the result directly, we could also use Algorithm 1,which gives the values of � in the general case. We show that it gives alsothis unique value for ↵. Here, all noise symbols are within [�1, 1], so wehave a unique line Li (see Definition Li):

Li = {(�, u0) | � = 1� �} .

The set of points V is equal to {(12,1

2), (1

2,�1

2)}. The algorithm ends with

� = 1

2, ui =

sign(↵Xi �↵Y

i )

2, 0 i n, and 1

2(�(↵X

�↵Y| B)+ ⌧

X + ⌧Y ) as ob-

jective value, which is equal to the saddle-value found in Proposition 6.2.31.We can now deduce ↵ using Propositions 6.2.24 and 6.2.25.

6.2.32 PropositionThe vector ↵ satisfies,

h↵, u�i = h↵Y + ↵

X

2, u�i+

⌧X� ⌧

Y

4,

where u� = 1

2sign(↵X

� ↵Y ) (the sign vector of ↵X

� ↵Y ).

Its coordinates respect

8i, 0 i n,min{↵Xi ,↵

Yi } ↵i max{↵X

i ,↵Yi } .

Proof. Proposition 6.2.24, with � = 1

2, determines immediately the first

equation. Moreover, since MX = M

Y = In, and ui =sign(↵X

i �↵Yi )

2, Proposi-

tion 6.2.25 gives:

sign(↵Xi � ↵

Yi ) = 1 =) ↵

Xi � ↵i � 0 ^ ↵i � ↵

Yi � 0

sign(↵Xi � ↵

Yi ) = �1 =) ↵

Xi � ↵i 0 ^ ↵i � ↵

Yi 0 .

Moreover, there is always an ↵ which respects these constraints, as we haveproved that a saddle-point exists.

Propositions 6.2.31 and 6.2.32 are equivalent to [GP08, Proposition 20].Among all possible solutions, Goubault and Putot in [GP08], picked up

the one which minimizes the interval concretisation of the perturbed a�neform. The minimal interval concretisation of any upper bound is the joinof the interval concretisations of the involved operands. This gives twoadditional constraints that ↵ needs to respect:

↵Z0= mid([X] [ [Y ]),

nX

i=1

|↵i|+ L(↵, �) = dev([X] [ [Y ]) .

110


Recall that [X] (resp. [Y ]) denotes the interval concretisation of X (resp.Y ), and that the interval concretisation of (↵, ⌧) is given by

[↵0 �

nX

i=1

|↵i|� ⌧,↵0 +nX

i=1

|↵i|+ ⌧ ] .

The authors prove in [GP08] that such solution exists and is unique when-ever the intervals [X] and [Y ] are in generic position. Two intervals i and jare said to be in generic position if (i ✓ j or j ✓ i) imply (sup(i) = sup(j)or inf(i) = inf(j)).

When the intervals [X] and [Y ] are in generic position, the solution isobtained by minimizing each term of the sum

Pni=1

|↵i|:

8i, 1 i n, ↵i = argmin(↵Xi ,↵

Yi ),

where the argmin operator is defined as follows:

argmin(↵1,↵2) := {↵ 2 [min(↵1,↵2),max(↵1,↵2)], |↵| is minimal },

that is, if ↵1↵2 0, then argmin(↵1,↵2) = 0, else if both are positives thenargmin(↵1,↵2) = min{↵1,↵2}, else (both are negatives) argmin(↵1,↵2) =max{↵1,↵2}.

If, however, the interval concretisations are not in generic position, theuniqueness is no more guaranteed, as shown in the following example. More-over, the argmin solution may be not admissible.

6.2.33 ExampleLet X = ((1, 1, 2, 1), 0), and Y = ((�2,�6, 1, 2), 0). We have [X] = [�3, 5],

and [Y ] = [�11, 7], thus the interval concretisations are not in genericposition. The condition �(↵X

� ↵Y

| B) � |⌧Y� ⌧

X| is satisfied, since

|⌧Y� ⌧

X| = 0, and �(↵X

� ↵Y

| B) = 12. By Proposition 6.2.31, ⌧ =L(↵, �) = 12

2= 6, and by Proposition 6.2.32, ↵0 + ↵1 + ↵2 � ↵3 = �3, and

↵ 2 [�2, 1]⇥ [�6, 1]⇥ [1, 2]⇥ [1, 2] .

The argmin solution gives then ↵1 = 0, ↵2 = 1, and ↵3 = 1, which makes↵0 = �3 /2 [�2, 1]. So here, the argmin operator is too strong to respectthe constraints of Proposition 6.2.32. Still, any vector (�2, ↵1, ↵2, ↵3) suchthat |↵1|+ ↵2 + ↵3 = 3, ↵1 + ↵2 � ↵3 = �1, �6 ↵1 1, 1 ↵2 2, and1 ↵3 2 is a mub of X and Y with a minimal interval concretisation.

We define the operator _ over two perturbed a�ne forms (PAF), asfollows:

111


6.2.34 DefinitionLet X = (↵X

, ⌧X) and Y = (↵Y

, ⌧Y ) be two PAF.

Z = X _ Ydef()

8<

:

↵Z0= mid([X] [ [Y ])

8i � 1,↵Zi = argmin(↵X

i ,↵Yi ),

⌧Z = dev([X] [ [Y ])�

Pni=1

|↵Zi |

The operator _ has many advantages: in general it gives an upper boundof X and Y ; if [X] and [Y ] are in generic position, then it returns exactlythe unique mub of X and Y ; the interval concretisation of X_Y is minimal,it is indeed equal to [X] [ [Y ]; the computation is a linear function of n,the number of noise symbols involved.

We would like to define a similar operator over CAF. We stress first amajor di↵erence between the unconstrained and the constrained cases.

For CAF, we have seen that, among all upper bounds, it is su�cient tohave minimal perturbation to be a mub. This su�cient condition is alsonecessary in the unconstrained case [GP08, Lemma 18].

6.2.35 PropositionGiven two PAF, X and Y , then Z is a mub of X and Y if and only if it isan upper bound and ⌧

Z is minimal among all ⌧T , perturbation of any upperbound T .

Thus, in the unconstrained case, we can always find a mub which mini-mizes the perturbation and has a minimal concretisation, that is its inter-val concretisation is the join of the interval concretisations of its operands.Whereas in the constrained case, being a mub is not equivalent to minimiz-ing the perturbation. The mub that minimizes the perturbation does nothave in general the minimal interval concretisation, and dually, the mubthat has the minimal interval concretisation does not have the minimalperturbation. (See for instance Example 6.2.3.)

Thus, in general, in the constrained case, computing the set of mubs thatminimize the perturbation, then enforcing the minimality of the intervalconcretisation may give an empty set of solutions.

E�cient Upper Bound Computation

As we have detailed earlier, the _ operator (Definition 6.2.34) which usesthe argmin solution, in the unconstrained case, has several advantages. Wedefine a similar upper bound operator over CAF.

112


6.2.36 PropositionLet X = (↵X

, ⌧X,�X

✏ ) and Y = (↵Y, ⌧

Y,�Y

✏ ) be two CAF. Let Z = X _ Y ,

be defined by X (resp. Y ) if Y 1⇥2 X (resp. X 1⇥2 Y ), and else :

• 8i � 1, ↵Zi = argmin(↵X

i ,↵Yi ),

• if |cX � cY| d

Y� d

X , then ↵Z0= c

X and ⌧Z = d

X ,

• if |cX � cY| d

X� d

Y , then ↵Z0= c

Y and ⌧Z = d

Y ,

• if |cX � cY| > d

Y� d

X , then

↵Z0=

cX + c

Y

2+

dX� d

Y

2sign(cX � c

Y )

⌧Z =

1

2(|cX � c

Y|+ d

X + dY )

where,

cX def

= ↵X0�

nX

i=1

(↵Zi � ↵

Xi )mid(✏Xi ), c

Y def= ↵

Y0�

nX

i=1

(↵Zi � ↵

Yi )mid(✏Yi ),

dX def

=nX

i=1

|↵Zi � ↵

Xi | dev(✏

Xi ) + ⌧

X, d

Y def=

nX

i=1

|↵Zi � ↵

Yi | dev(✏

Yi ) + ⌧

Y,

✏Xi = bound2(✏i,�X✏ ),

✏Yi = bound2(✏i,�Y✏ ) .

Then, Z is an upper bound of X and Y .

Proof. By construction, X _ Y is an upper bound of X and Y . This isobvious when X and Y are comparable. Otherwise, we set ↵Z

i , 1 i n toargmin(↵X

i ,↵Yi ), then compute ↵

Z0and ⌧

Z such as Z is an upper bound ofX and Y and ⌧

Z is minimal. For Z to be an upper bound, (↵Z, ⌧

Z) needsto satisfy (MX and M

Y are the matrices related to �X and �Y ):

kMX(↵Z

� ↵X)k1 ⌧

Z� ⌧

X

kMY (↵Z

� ↵Y )k1 ⌧

Z� ⌧

Y,

or equivalently,

|↵Z0� c

X| ⌧

Z� d

X

|↵Z0� c

Y| ⌧

Z� d

Y.

113


Now, we compute ⌧Z and ↵

Z0such that ⌧Z is minimal, which is a special

case (n = 0) of Corollary 6.2.30. Therefore, the definitions of ⌧Z and ↵Z0

are immediate from Propositions 6.2.31 and 6.2.32 respectively.

Notice that in general the operator _ over CAF, does not give a mub,the interval concretisation of X_ Y is not minimal in general. Nevertheless,the procedure gives, in linear complexity, an upper bound.

6.3 Join over Constrained A�ne Sets

We build a join operator componentwise using the minimal upper boundof each dimension. The domain A2 is the intervals lattice. We use thecanonical representation of CAS.


, PX,�X

✏ ) and Y = (CY, P

Y,�Y

✏ ) be the canonical representa-

tives of two CAS, then Z defined by

• �Z = �X✏ [2 �

Y✏ ,

• (LCZ

i , PZi,i) is a mub of (LCX

i , �(PXei | B)) and (LCY

i , �(P Yei | B)),

where LMi denotes the ith line of matrix M and Mi,i is the (i, i) com-

ponent of matrix M ; the vector ei is the ith vector of the canonicalbase of Rm.

• All other components of PZ are null.

is an upper bound of X and Y . We denote Z by X t Y .

Proof. We prove that X 1⇥2 Z using the equivalence of Proposition 4.3.7.Firstly, we have �X

✏ ✓ �X✏ [ �

Y✏ = �Z

✏ . Secondly, for all t 2 Rp, we provethat the inequality

�(t | (CX� C

Z)MX⇤B) �(t | PZB)� �(t | PXB),

holds. Equivalently, using that �(t | B) = ktk1, we write

kMX(CX

� CY )⇤tk1 kP

Ztk1 � kP

X⇤tk1 .

An element PZ(i,i), 1 i p, by definition satisfies:

�(MX(LCZ

i � LCX

i ) | B) PZ(i,i) � �(PX

ei | B) .

114

6.3. Join over Constrained A�ne Sets

Observing that (LCZ

i � LCX

i ) = (CZ� C

X)⇤ei, PZ(i,i) = kP

Z⇤eik1 and using

the norm notation, we obtain

kMX(CZ

� CX)⇤eik1 kP

Z⇤eik1 � kP

X⇤eik1 .

Let ti, 1 i p, denote the coordinates of t. We have:

kMX(CX

� CZ)⇤tk1 + kP

X⇤tk1

pX

i=1

|ti|(kMX(CX

� CZ)⇤eik1 + kP

X⇤eik1)

pX

i=1

|ti|kPZ⇤eik1

= kPZ⇤tk1

The first inequality uses the triangle inequality. The last equality is due tothe fact that PZ is a diagonal matrix. We prove similarly that Y 1⇥2 Z,by substituting X and Y . Therefore, Z is an upper bound of X and Y .

The previous upper bound considers the enclosing boxes of the pertur-bation zonotopes, rather than the zonotopes themselves, then computes aminimal upper bound of the so obtained CAS. Indeed, the join operatordefined in Proposition 6.3.1 gives a minimal upper bound of its operandswhenever the perturbation zonotopes of X and Y are simple boxes.


, PX,�X

✏ ) and Y = (CY, P

Y,�Y

✏ ) be the canonical represen-tatives of two CAS such that the perturbation zonotopes P

XB and PYB,

are simple boxes (PX and PY are diagonal matrices). Then X t Y is the

minimal upper bound of X and Y .

Proof. By Proposition 6.3.1, Z is an upper bound of X and Y . Let T bean upper bound such that T 1⇥2 Z, we prove that T is necessarily equalto Z. Firstly, �T

✏ ✓ �Z✏ = �X

✏ [ �Y✏ , and since T is an upper bound,

�X✏ [�

Y✏ ✓ �

T✏ , then necessarily �T

✏ = �Z✏ . We next prove that the matrices

PT and P

Z are equal. For t = ei, the ith vector of the canonical base of Rp,we have kPZ⇤

eik1 is minimal by construction, and

kMX(CZ

� CT )⇤eik1 kP

Z⇤eik1 � kP

T ⇤eik1,

thus kPZ⇤eik1 = kP T ⇤

eik1 for all i, which makes PZ = P

T . In turn thisgives (CZ

� CT )⇤ei = 0 (MX is non-singular), for all i. Thus Rp

✓

115


ker((CZ� C

T )⇤). Rank-nullity Theorem states that the sum of the rankof a matrix and the dimension of its kernel is equal to the number of itscolumns, that is rank((CZ

� CT )⇤) + ker((CZ

� CT )⇤) = p. This makes

rank((CZ� C

T )⇤) = 0, and CZ = C

T .

This approximation loses all relations kept by the perturbed noise sym-bols in each CAS before evaluating the upper bound. The total number ofthe perturbation noise symbols after t operation is p.

We propose a slightly di↵erent componentwise upper bound which im-proves the accuracy of the previous upper bound in that it keeps track tothe relations between perturbation noise symbols.


, PX,�X) and Y = (CY

, PY,�Y ) be the canonical representa-

tion of two CAS, then Z defined by

• �Z = �X[2 �Y ,

• ((LCZ

i , LPZ

i ), PZi,m+i) is the mub of ((LCX

i , LPX

i ), 0) and ((LCY

i , LPY

i ), 0),

1 i p, where (LMi , L

Qi ) denotes the vector formed by concatenating

the ith line of both matrices M and Q.

• The components PZi,m+j, 1 i, j p, i 6= j are null.

is an upper bound of X and Y . We denote Z by X t+Y .

Proof. We prove that X 1⇥2 Z using the equivalence of Proposition 4.3.7.Firstly, we have �X

✏ ✓ �X✏ [ �

Y✏ = �Z

✏ . Secondly, for all t 2 Rp, we provethat the inequality

�(t | (CX� C

Z)MX⇤B) �(t | PZB)� �(t | PXB),

holds. Equivalently, using that �(t | B) = ktk1, we write

kMX(CX

� CY )⇤tk1 kP

Z⇤tk1 � kP

X⇤tk1 .

We decompose matrix PZ in two blocs (RZ

|DZ). Matrix D

Z is a diagonalmatrix, DZ

(i,i) = PZ(i,m+i), 1 i p. We denote by M the matrix defined by

4 blocs ✓M

X 00 Im

◆

116

6.3. Join over Constrained A�ne Sets

Since the perturbation noise symbols are within [�1, 1], M(1,i), i > n + 1,are null (the center of [�1, 1]), where M(i,i), i > n + 1, is equal to 1 (thedeviation of [�1, 1]). By definition of PZ

(i,m+i), 1 i p, we have:

�(M((LCZ

i , LRZ

i )� (LCX

i , LPX

i )) | B) PZ(i,m+i),

or equivalently,

kM((LCZ

i , LRZ

i )� (LCX

i , LPX

i ))k1 PZ(i,m+i) .

Given a vector w = (u, v), defined as a concatenation of two vectors u 2

Rn+1 and v 2 Rm, we have

kwk1 =n+mX

i=0

|wi| =nX

i=0

|ui|+n+1+mX

i=n+1

|vi| = kuk1 + kvk1 .

Since Mw = (MXu, Imv), then kMwk1 = kMX

uk1 + kvk1. We use thisproperty for kM((LCZ

i , LRZ

i )� (LCX

i , LPX

i ))k1, we obtain

kM((LCZ

i , LRZ

i )� (LCX

i , LPX

i ))k1 = kM((LCZ

i � LCX

i , LRZ

i � LPX

i ))k1

= kMX(LCZ

i � LCX

i )k1 + kLRZ

i � LPX

i k1

Using the identities (LCZ

i � LCX

i ) = (CZ� C

X)⇤ei and LRZ

i � LPX

i =R

Z⇤ei � P

X⇤ei, we obtain:

k(CZ� C

X)⇤eik1 + kRZ⇤ei � P

X⇤eik1 P

Z(i,m+i) .

Thus, for all 1 i p:

k(CZ� C

X)⇤eik1 + kRZ⇤ei � P

X⇤eik1 P

Z(i,m+i) .

Let ti, 1 i p, denote the coordinates of t. We have:

kMX(CX

� CZ)⇤tk1 + kP

X⇤t�R

Z⇤tk1

pX

i=1

|ti|(kMX(CX

� CZ)⇤eik1 + kR

X⇤ei � P

X⇤eik1)

pX

i=1

|ti|PZ(i,m+i)

= kDZ⇤tk1

117


The first inequality uses the triangle inequality. The last equality is due tothe fact that DZ is a diagonal matrix. Now, again the triangle inequalitygives

kMX(CX

� CZ)⇤tk1 + kP

X⇤tk1 � kR

Z⇤tk1

kMX(CX

� CZ)⇤tk1 + kP

X⇤t�R

Z⇤tk1,

which makes,

kMX(CX

� CZ)⇤tk1 + kP

X⇤tk1 kR

Z⇤tk1 + kD

Z⇤tk1

= kPZ⇤tk1 .

The last equality uses Proposition 2:

kPZ⇤tk1 = �(t | PZB)

= �(t | RZB+DZB)

= �(t | RZB) + �(t | DZB)

= kRZ⇤tk1 + kD

Z⇤tk1

We prove similarly that Y 1⇥2 Z, by substituting X and Y . Therefore, Zis an upper bound of X and Y .

The computation of t+ considers, only for the purpose of computationof the join, that the perturbation noise symbols ⌘i, 1 i m are sharedbetween the operands. Observe that the operation t+ adds p new pertur-bation noise symbols, whereas the number of noise symbols after t is atmost p.

The operators t and t+ are based on the computation of the minimalupper bound of the two perturbed a�ne forms related to each variable.Instead of computing the mub line by line, we could also compute the upperbound using the e�cient (linear) operator _ (see Proposition 6.2.36). Forinstance, the use of t+ together with _ over perturbed a�ne forms (seeDefinition 6.2.34) gives exactly [GP09, Lemma 10].

118

CHAPTER 7Implementation and

Experiments

We detail in this section our implementation of the Constrained A�ne Setsabstract domain. Our domain is called Taylor1+ [GGP09]. Taylor1+ isfully compliant with the APRON library [apr07]. The APRON projectpresents a set of numerical abstract domains, namely Boxes, Octagons andPolyhedra, with a common interface, allowing to switch from one domainto another without an extra e↵ort. One can then easily compare resultsof di↵erent numerical domains, or combine them for a better precision.Taylor1+ takes as a parameter any other APRON abstract domain (thedefault choice is Boxes) to handle constraints on variables.

We use our domain to experiment the precision and the e�ciency of ourapproach and compare our results to the already existing abstract domains.

We use floating-point numbers arithmetic (precisely double-precision)for the abstract computations. Our choice is motivated by the flexibilityand the e�ciency of computations of this binary representation. Dealingwith floating-points needs a particular attention, firstly to avoid classicalpitfalls, and secondly to ensure the soundness of the analysis.

7.1 Abstract Computations UsingFloating-point Numbers

So far, all results and operations over a�ne sets, either constrained or not,are defined over real numbers semantics. The coe�cients of the matrices Cand P were considered as perfect real numbers, and operations assume that

119

7. Implementation and Experiments

operands are within the unbounded real numbers line. In practice, however,computers are unable to represent these real numbers, the set of expressiblenumbers is even finite. Two finite-precision representations of real numbersexist: the fixed-point representation and the floating-point representation.

Fixed-point representation Numbers are divided into an integer partand a fractional part. The number of bits used for each part determinesthe fixed-point type. Any base can be used to represent these parts. Forinstance, if we consider the human readable base 10, the decimal number3.14 can be represented by 0314 multiplies the fraction 1

100, if we consider

4 bits for the integer part and 3 bits for the fractional part. If the numberdoes not fit into the representation, it is rounded or truncated. For in-stance we can not store more than 3 decimals of ⇡ using our previous type,as 3.1415 is truncated . Many directions could be considered when round-ing. A possible fixed point representatives of 3.1415, could be either 3.14or 3.15. The first fixed-point number is the nearest representative, whereasthe second is the first bigger representative. In both cases, there is a loss ofprecision due to the restriction to fit the internal representation of numbers.The computation is always performed with respect to the same type. Thus,the type is chosen to improve the accuracy of computations and to avoidthe overflows. The latter occurs when we would like to represent a numberwhich is strictly greater than the biggest number that the internal represen-tation allows. For instance, with respect to our convention, the number 100overflows, as the biggest number we could represent is 99.99, representedby the integer part 9999 and the fraction 1

100. Implementations usually

rely on 2 instead of base 10 for e�ciency reasons. There is non-built-insupport in common processors for fixed-point computations. Classical highlevel languages such as C or C++ do not o↵er neither a type nor a libraryfor fixed-point computations. Nevertheless, this representation is used forspecial computations such as decoding the audio signal [tre] (for embeddedlower consumption circuit), or financial accounting softwares [gnu] as therounding error is more predictable than the floating-point representation.

Floating-point representation This finite-precision representation isby far the most commonly used during the last quarter century. Partlybecause of the existence of a standard (IEEE-754) since 1985 [IEE85] forfloating-point arithmetic (with one major revision in 2008 [IEE08]), whichwas adopted by software editors as well as major semiconductor chip makers(Intel, AMD, IBM). Since early 1980, many manufactured CPU come witha special co-processor dedicated to the floating point computations, such as

120

7.1. Abstract Computations Using Floating-point Numbers

the famous Motorola 68000 family. Intel x86 family comes even with a built-in floating-point unit. Floating-point representation is flexible, intuitive,and supported by both high-level languages. Moreover, the native hardwaresupport allows a great performance of computations. We briefly introducein the next section the standard IEEE 754 floating-point numbers.

Floating-point Numbers

We focus on the binary floating-point representation of real numbers. Thebase used is then the base 2.

Representation The floating-point representation is divided into threeparts: one bit for the sign, m bits to encode the fraction part, called themantissa and e bits to encode the exponent. The total number of usedbits, that is 1 + e+m, defines the precision of a representation, we denoteit by p. The standard IEEE-754 defines 4 representations: single-precision(p = 1 + 8 + 23), double-precision (p = 1 + 11 + 52), single-extended-precision, and(p � 43), and the double-extended-precision (p � 79). Thesingle and double precision floating-point numbers are the most commonprecisions used, the last one is used for instance in Intel registers whichstore floating-point numbers with p = 80. The single-extended precision isseldom used. A typical (big-endian 1) single-precision floating-point number(32 bits) is decomposed from most (left) to less (right) significant bits intothree parts: the sign bit, 1 bit, has the position 31 counting from right toleft (and starting from 0), the biased exponent (8 bits, from position 23 to30), and the mantissa, 23 bits, for the rest. The sign bit determines thesign of the binary number: 1 means positive, and 0 means negative. Theexponent is stored in biased format bexp without a sign bit: a constant isadded to the bexp to find the actual exponent. This bias to add is definedby 2e�1

� 1, where e denotes the number of bits allocated for the exponent.For instance, for single-precision representation, the e = 8, thus the bias isequal to 27 � 1 = 128 � 1 = 127: to encode the exponent 1, bexp shouldcontain 1+127 = 128. The mantissa encodes the fraction part of the binarynumber, that is the sequence of bits on the right hand side of the binarypoint. The most significant bit of the mantissa is hidden. It is in factencoded in the exponent as follows:

1Endianness refers to the bit order used to represent a sequence of bits. Big-endian

starts from the most significant bit, whereas little-endian starts with the less significant

bit.

121


• if bexp is zero and the fraction is non-zero (at least one bit is set toone), then the hidden bit is equal to 0. These numbers are calleddenormalized floating-point numbers.

• if the bexp lies within [1, 2e�2], then the hidden bit is considered equalto one. These numbers are called normalized floating-point numbers.

The remaining possible value of the exponent, that is 2e � 1, encodes theinfinities and NaN s. NaNs stands for “Not a number”, and is used to storeundefined results such as the inverse of zero. The value of the mantissa isused to distinguish between infinities and NaNs. If it is equal to zero, thenthe number is either �1 or +1, depending on the sign. If at least onebit of the mantissa is equal to one, then we have NaNs (sign is useless).Observe that the floating-point representation makes a di↵erence between�0 and +0, as the bit sign is independent from the value. The final formof a normalized number is

(�1)s1.mantissa⇥ 2bexp�bias.

For instance, our above example gives the (normalized) binary number(�1)01.1001001000011111101 ⇥ 2128�127 (equal to 3.1415901 in base 10).Given a precision, the number of floating-point numbers is finite and theirvalues bounded. For instance, the double-precision numbers range from�1.1111 . . . ⇥ 22046�1023 to 1.1111 . . . ⇥ 22046�1023, which gives in base ten:

±(1 +1

2+ . . .+

1

252)⇥ 21023 = ±(1�

1

253)⇥ 21024 ' ±1.7977⇥ 10308 .

It is worth noting that the floating-point numbers are not uniformly dis-tributed. The population is dense around zero (because of the denormalizedrepresentation), whereas the gap between two successive floating-point num-bers increases as we recede from zero toward the bounds. In fact, the gapis scaled by the factor 2exp, where exp denotes the exponent. For instance,in double-precision representation:

exp bexp range gap

0 1023 [1, 2� 1

252] 1

252' 2.22⇥ 10�16

2 1025 [4, 8� 1

248] 2

2

252' 8.88⇥ 10�16

53 1076 [25, 254 � 2] 253

252= 2

This behavior makes floating-point numbers unsuitable for computa-tions that involve large real numbers, such as accounting softwares. As saidearlier, the fixed-point computation o↵ers in that case a more convenientway as the distribution is more regular than floating-point numbers.

122


Rounding directions Arithmetic over the floating-point numbers is notcomplete as the result may be non-floating-point number. A round o↵ isthen needed to cast the result into the needed precision. The IEEE-745standard defines four possible rounding directions:

• Round to Nearest rounds the result to its nearest floating-point repre-sentative, if it falls midway, the representative with its least significantbit equal to zero is preferred. This is the default rounding mode. Itis called Round to nearest, ties to even in the new revision which alsoprecises other modes.

• Round toward 0 rounds the result to the first representative betweenthe result and zero.

• Round toward +1 rounds the result to the closest bigger representa-tive.

• Round toward �1 rounds the result to the closest smaller represen-tative.

Given a real number r, we denote by floatp,r(r) the floating-point represen-tative of r with respect to the precision p, and the rounding direction r,where r 2 {n, 0,�1,+1}, and n denotes the rounding to the nearest withties to even mode. We define floatp,r(+1) = +1, floatp,r(�1) = �1,and floatp,r(0) = +0, for all rounding directions and all precisions.

Invalid operations The undefined operations in real numbers arithmeticare also invalid in floating-point numbers arithmetic. For instance, (�1)+(+1), 0⇥1, 0

0, 1

1 , the square root of non-positive floating-point number,returns a NaN. Any operation involving a NaN returns also a NaN.

Some pitfalls need to be aware of when using floating-point numbers.An excellent survey should be the Goldberg article [Gol91]. Floating-pointnumbers are not real numbers and should not be considered as such whenreasoning. Classical arithmetic operations {+,�,⇥,÷} are not commuta-tive, neither associative. Thus, depending on the order of evaluation, theresult may be di↵erent. Two given floating-point numbers are comparablewith respect to the order over the extended real numbers line. The orderconsiders �0 = +0, �1 = �1, +1 = +1, and x 6= NaN , for any givenfloating-point number x including NaNs themselves. The decimal fractionsin base ten, such as 0.1, 0.01, etc. do not have exact representatives in-dependently from the precision in use. In fact, the binary representativesof these fractions come with infinite binary chain; for instance the “pure”binary representative of 0.1 is 1.100110011001100 . . . .

123


Intervals domain

Many numerical abstract domains use floating-point numbers for their in-ternal computations. The loss of precision due to such approximation isusually compensated by a tremendous gain of e�ciency. However, their usefor the purpose of abstract interpretation needs a particular attention toensure the soundness of computations.

As mentioned in [Min04b] and implemented in [apr07], intervals arith-metic can be implemented in a sound manner using rounding toward ±1.We denote by IF the set of intervals with floating-point bounds. A realinterval [r1, r2] is abstracted as follows:

↵F : I! IF[r1, r2] 7! [floatp,�1(r1), floatp,+1(r2)] .

The concretisation, from IF to I is the restriction to IF of the identity overI since IF ✓ I. The definition of ↵F respects the soundness property, that is[r1, r2] ✓ ↵F([r1, r2]). Operations over intervals of IF are defined as follows:

[f1, f2] +F [f01, f

02]

def= [floatp,�1(f1 + f

01), floatp,+1(f2 + f

02)]

[f1, f2]�F [f01, f

02]

def= [floatp,�1(f1 � f

02), floatp,+1(f2 � f

01)]

[f1, f2]⇥F [f01, f

02]

def= [min{floatp,�1(f1 ⇥ f

01), floatp,�1(f2 ⇥ f

01),

floatp,�1(f1 ⇥ f02), floatp,�1(f2 ⇥ f

02)},

max{floatp,+1(f1 ⇥ f01), floatp,+1(f2 ⇥ f

01),

floatp,+1(f1 ⇥ f02), floatp,+1(f2 ⇥ f

02)}]

[f1, f2]÷F [f01, f

02]

def= [min{floatp,�1(f1 ÷ f

01), floatp,�1(f2 ÷ f

01),

floatp,�1(f1 ÷ f02), floatp,�1(f2 ÷ f

02)},

max{floatp,+1(f1 ÷ f01), floatp,+1(f2 ÷ f

01),

floatp,+1(f1 ÷ f02), floatp,+1(f2 ÷ f

02)}]

Fp

[f1, f2]def= [floatp,�1(

pf1), floatp,+1(

pf2)]

A�ne Forms Domain

We denote by A1(F), the set of a�ne forms with floating-point numberscoe�cients.

The definition of the a�ne arithmetic over A1(F) is not immediate, asthe computations need to be safe. As mentioned by Figueiredo and Stolfi

124


in [dFS97], there is no safe rounding direction that we could use to obtain asound a�ne form 2. The rounding alters the correlations between variableswhich may lead to unsafe a�ne representation. Consider for instance theCAS X, defined over A1:

X =⇣✓0 0.5

0 0.1

◆, 0, 1⇥ [�1, 1]

⌘,

The four CAS defined over A1(F) obtained by rounding 0.1 are not safe:

Xp,r =⇣✓0 floatp,r(0.5)

0 floatp,r(0.1)

◆, 0, 1⇥ [�1, 1]

⌘,

where the rounding mode r is within {n, 0,�1,+1}. Figure 7.1 illustratesthe (degenerated) zonotope �1⇥2(X) (gray segment), and the two zonotopes�1⇥2(Xp,+1) and �1⇥2(Xp,�1) (red segments). In this case, we have

�1⇥2(Xp,0) = �1⇥2(Xp,�1) and �1⇥2(Xp,n) = �1⇥2(Xp,+1),

since floatp,r(0.5) = 0.1 for all rounding directions (0.5 is exactly repre-sentable), and

floatp,+1(0.1) = floatp,n(0.1) and floatp,�1(0.1) = floatp,0(0.1),

for p 2 {32, 64}. None of these zonotopes contains the zonotope �1⇥2(X),which makes �1⇥2(X) * �1⇥2(castp,r(X)), for all r 2 {n, 0,�1,+1}.Figueiredo and Stolfi proposed in [dFS97] to add a fresh noise symbol tocompensate the rounding error. The coe�cient of this newly added symbolis an over-approximation of the rounding error. For instance in our simpleexample, the a�ne form related to v2 becomes

floatp,n(0.1)✏1 + floatp,+1(|0.1� floatp,n(0.1)|)⌘f .

The choice of round-o↵s is meant to minimize the coe�cient of ⌘f : |0.1 �floatp,r(0.1)| is minimal when r = n, and rounding the absolute value toward+1 gives a floating-point greater than (or equal to) the actual real numbergiven by this absolute value. Figure 7.2 depicts the zonotope

XFdef=

⇣✓0 floatp,n(0.5)0 floatp,n(0.1)

◆,

✓0

floatp,+1(|0.1� floatp,n(0.1)|)

◆, 1⇥[�1, 1]2

⌘.

Observe that it wraps closely the degenerated zonotope �1⇥2(X) but leadsto a loss of precision, in addition to a new perturbation noise symbol.

2In intervals domain for instance, it is su�cient to round toward +1 the upper

bound computations and toward �1 the lower bound computations to obtain a safe

interval that contains all possible real numbers.

125


v1

v2

r 2 {n,+1}

r 2 {0,�1}

floatp,+1(0.1)1.1001100 . . .floatp,�1(0.1)

0.12 = 0.510

Figure 7.1: Unsafe approximation ofa�ne sets: the correlation is falsifiedby the use of floating-point numbers.

v1

v2

floatp,n(0.1)1.1001100 . . .

0.12 = 0.510

Figure 7.2: Safe approximation: XFwraps X.

Constrained A�ne Sets Domain

The coe�cients of the matrices C and P are now floating-point numbers.The domain A1 is substituted by its related domain which respects thefloating-point semantics (see Section 7.1).

Related work Ideas we present here to overcome the use of floating-pointnumbers while remaining sound are well known in the literature. Figueiredoand Stolfi have presented in [dFS97] similar approaches to implement a li-brary of a�ne forms. Moreover, the use of Taylor models, with floating-point numbers, as an approximation technique for linearization has beenwidely studied and proved guaranteed (see for instance [RMB05] for a proofof the respect of Taylor models, with floating-point coe�cients, of the “con-tainment property”– which is equivalent to the soundness in our context –).The only main di↵erence with our implementation is the use of intervals,instead of simple floating-point numbers, to encode the coe�cients of noisesymbols.

The semantics of the evaluation of an expression e 2 expr, in the ab-

126


stract domain A(F)1⇥2 is given by:

8e 2 expr,JeK]F : A(F)1⇥2 ! A(F)1 ⇥A2(F)

JvkK]F(C, P,�)def= (

nX

i=0

C(k,i)✏i +mX

j=1

P(k,j)⌘j,�)

The evaluation of an interval [a, b] depends whether the interval is boundedor unbounded. If �1 < a b < +1, then J[a, b]K]F(C, P,�) is defined by

�midF(↵F([a, b])) + devF(↵F([a, b]))✏f , J�1 ✏f 1K]

2(F)Jadd ✏fK]2(F)�

�,

Otherwise, the a�ne form is just a new noise symbol :

J[a, b]K]F(C, P,�)def=

((✏f , J✏f bK]

2(F)Jadd ✏fK]2(F)�), if �1 = a

(✏f , Ja ✏fK]2(F)Jadd ✏fK]2(F)�), if +1 = b

For arithmetic unary and binary operations, the semantics is given by:

Je1 ⇧ e2K]F(C, P,�)def= Je1K]F(C, P,�) ⇧F1⇥2

Je2K]F(C, P,�)where ⇧F

1⇥22 {+F

1⇥2,�

F1⇥2

,⇥F1⇥2

,÷F1⇥2

}

JpeK]F(C, P,�)

def=pF

1⇥2JeK]F(C, P,�)

The operators J·K]2(F) denote the abstract operators of the abstract do-

main A2(F). The operations midF return the nearest floating-point numberto the exact mid point of an interval:

midF : IF ! F

[f1, f2] 7! floatp,n(f1 + f2

2) .

The function devF, defined below, ensures an over-approximation to theexact radius of the interval, that is dev(i) devF (i), for all i 2 IF:

devF : IF ! F[f1, f2] 7! max{floatp,+1(f2 �midF([f1, f2])), floatp,+1(midF([f1, f2])� f1)}

Notice that, the definitions of midF and devF are such that the conversionfrom intervals to a�ne forms, then back to intervals encloses the originalinterval.

127


Let xF =Pn

i=0↵xi ✏i +

Pmj=1

�xj ⌘j, and yF =

Pni=0

↵yi ✏i +

Pmj=1

�yj ⌘j be

two elements of A1(F), and � an element of A2(F). The abstract element �is unused and remains unchanged. The addition +F

1⇥2of two CAS (xF,�)

and (yF,�) gives an a�ne form zF and a noise symbols’ abstract element�z, defined as follows:

zFdef=

nX

i=0

floatp,n(↵xi + ↵

yi )✏i +

mX

j=1

floatp,n(�xj + �

yj )⌘j +�⌘m+1

�z def= J�1 ⌘m+1 1K]

2(F)Jadd ⌘m+1K]2(F)� .

The floating-point number � accumulates all rounding errors:

� def= floatp,+1(

ulpp

2(

nX

i=0

2log2(floatp,+1(↵xi +↵y

i )) +mX

j=1

2log2(floatp,+1(�xj +�y

j )))),

where ulpp denotes the floating-point number which corresponds to the unitin the last place, that is the floating-point number obtained when only theleast significant bit is set to 1. The function log

2extracts the exponent of

the floating-point number of its operand, that is the biased exponent minusthe bias. For instance, log

2(10.01) = 1. Such a function is provided in

the API of high languages, in C language for instance, the primitive logbdefined in the header file math.h extracts the exponent of a floating-pointnumber. As we round to the nearest,

ulpp

22log2(floatp,+1(x))

,

which is usually denoted by ulp(x)2

, gives a tight over-approximation of|x � floatp,n(x)|. Notice that the computation of � requires to change therounding mode, which is a relatively expensive operation (costs 6 floating-point additions, that is around a dozen of cycles on a typical FPU [SS98]).To avoid the repeated changes of the rounding direction, we may com-pute the log

2of the next representable neighbor of floatp,n(x), instead of

floatp,+1(x), which is less precise but safe.In our implementation the coe�cients operations are handled by in-

tervals. For instance, to compute the addition of two floating-point num-

bers ↵xi + ↵

yi , we actually compute ↵x

i +F ↵yi , where ↵x

idef= [↵x

i ,↵xi ], and

↵yi

def= [↵y

i ,↵yi ]. The obtained interval contains the exact value of the ad-

dition. The operation +F over intervals is sound as detailed in section 7.1.The new coe�cient is assigned midF(↵x

i +F ↵yi ), while devF(↵x

i +F ↵yi ) is

added to �. The method is less precise than the two previous methods. It

128


is also more expensive as it involves the addition of two intervals. We nowhave for the addition +F

1⇥2:

zF =nX

i=0

midF(↵xi +F ↵

yi )✏i +

mX

j=1

midF(�xj +F �

yj )⌘j +�⌘m+1,

�z = J�1 ⌘m+1 1K]2(F)Jadd ⌘m+1K]2(F)�),

� = floatp,+1

⇣ nX

i=0

devF(↵xi +F ↵

yi ) +

mX

j=1

devF(�xj +F �

yj )⌘

.

The operation may be seen as a composition of two operations. The firstcomputes the sum of two a�ne forms as if the coe�cients were intervals.The second applies a reduction to get back to a classical a�ne form byreplacing intervals by their midpoint with respect to the operation |F, andby accumulating the rounding errors into �. We denote by A1(IF) the setof a�ne forms with interval coe�cients. We use the bold face notation todenote an element of A1(IF). The reduction operator is defined as follows:

7.1.1 Definition (Reduction)

reduction : A1(IF)⇥A2(F)! A1(F)⇥A2(F)

reduction(xF,�X)

def= (yF, J�1 ⌘f 1K]

2(F)Jadd ⌘fK]2(F)�

X),where

↵y0= mid(ı)

1 i n, ↵yi = mid(↵x

i )

1 j m, �yj = mid(�x

j )

�yf = dev(ı) .

The interval ı given by

ıdef= ↵x

0 + dev(↵x0)[�1, 1] +

nX

i=1

dev(↵xi )[�1, 1]✏

xi +

mX

i=1

dev(�xi )[�1, 1]⌘

xi ,

needs the interval concretisation of the noise symbols, ✏xi = bound2(✏xi ,�X),

and ⌘xj = bound2(⌘xj ,�

X).

The abstract object of noise symbols is augmented with a new perturbationnoise symbol ⌘f . The so obtained a�ne form is sound.

1 RemarkIt is important to understand that we use intervals as a safe “receptacle”for local intermediate computations of floating-point numbers. The final

129


result of the operations is always an a�ne form with floating-point numberscoe�cients. The use of intervals as coe�cients is interesting in its own andis not covered in this work.

We authorize to scale an a�ne form xF by an interval ı, which gives anelement of A1(IF):

ıxFdef=

nX

i=0

(↵xi ı)✏i +

mX

j=1

(�xj ı)⌘j

Non linear binary operations {⇥F1⇥2

,÷F1⇥2

} and the unary operation

{pF

1⇥2} benefit from both abstract domains A1(F) and A2(F) for a bet-

ter precision.For the multiplication and division operations, we first compute with

respect to interval arithmetic, then reduce using the reduction operation.For the multiplication, the SDP method needs a guaranteed solver such asin [JCK07]. However, its use is expensive as it solves the problem morethan once to obtain rigorous bounds for the optimal solution.

The definition ofpF

1⇥2adds one new perturbation noise symbol: it is

firstly created to encode the imprecision due to the linearization, and thenused (implicitly in the reduction operation) to store the inaccuracy of com-putations using floating-point numbers. The special cases where [a, b] isempty, or is equal to zero or has an infinity bound are defined as

p

1⇥2(the

real number coe�cients case, see Section 5.1).The compositional evaluation of an expression may add many new noise

symbols (1 per each atomic operation). To avoid this behavior, which canlead to too long a�ne forms, we can choose to reduce once at each assign-ment, that is all computations are performed as with interval arithmetic forthe coe�cients, then the final a�ne form is reduced, which adds at mostone perturbation noise symbol per assignment. The main drawback of thisapproach is the local loss of precision during the evaluation of the expressiondue to interval arithmetic.

The join operator The join operator is defined componentwise as dis-cussed in Chapter 6. As coe�cients are intervals instead of real numbers,we can not use immediately the already established results that characterizeand compute a mub of two a�ne forms. To overcome this issue, we firstreduce the involved a�ne forms then compute the join. The newly addedperturbation noise symbols due to the reduction operation will not surviveafter the join: if t is used then all perturbation noise symbols are lost; ift

+ is used instead we accumulate the fresh perturbations due to reduction

130

7.2. Implementation

into ⌧X and ⌧Y . Thus, the total number of perturbation noise symbols after

the join operation (either t/t+, or _) after reduction is exactly the samethan the number of perturbation noise symbols when the join is computedover CAS with real number coe�cients.

Algorithm 3, is an extended version of algorithm 2. The values of ⌧X and⌧Y are updated respectively lines 3 and 4. By definition of the reduction,

the intervals �Xm+1

and �Ym+2

are positive real numbers (deviation of aninterval), so ⌧

X and ⌧Y remain non-negative.

Algorithm 3: Computing a mub of two Extended Constrained A�neForms

input : Two extended CAF X = (↵X, ⌧

X,�X

✏ ) andY = (↵Y

, ⌧Y,�Y

✏ ).output: A CAF Z mub of X and Y .

1 (↵X 0,�X 0

) � reduction(↵X,�X);

2 (↵Y 0,�Y 0

) � reduction(↵Y,�Y );

3 ⌧X � ⌧

X + �Xm+1

;4 ⌧

Y � ⌧

Y + �Ym+2

;

5 mubCAF((↵X 0, ⌧

X,�X), (↵Y 0

, ⌧Y,�Y )); /* algorithm 2 */

7.2 Implementation

Taylor1+ is a C library. Its API (Application Programming Interface) isAPRON compliant, which means that any analyzer linked to the APRONLibrary can use Taylor1+ without any extra e↵ort. In addition to its Cinterface, the library o↵ers an Ocaml interface. This interface is convenientsince usually static analysis tools are written in Ocaml language.

The Library is under Lesser General Public Licence (LGPL) and is dis-tributed for free together with the APRON Library.

Data structure Taylor1+ represents a CAS by an array of pointers of sizep (the number of the numerical variables) and a generic abstract object forthe noise symbols. Each pointer points to a special structure which encodesthe a�ne form. The data structure of an a�ne form is a coe�cient plus asimple chained list of terms. Each term contains a non-null coe�cient anda pointer to a noise symbol. (terms with null coe�cients are not stored.)

131


Context-sensitive noise symbols In Taylor1+, noise symbols are notcontext aware, that is we do not keep track of the control point context(input uncertainty, line, iteration, condition branch, etc.) that creates thenoise symbol. We simply make a di↵erence between input noise symbolsand perturbation noise symbols. All these symbols are indexed by a globalinteger variable.

7.3 Experiments

In this section, we compare Taylor1+ with some other relational abstractdomains in their APRON implementation, namely octagons and polyhe-dra. In Section 7.3 we show the accuracy of computations whether thesecomputations are linear or non-linear. Indeed, the a�ne forms-based do-main handles the non-linear operations in an e�cient and precise manner.The improvements of expressiveness due to the interpretation of tests usingconstraints over noise symbols rather than a simple reduced product withintervals is clearly demonstrated in Section 7.3. We focus finally, in sec-tion 7.3, on the two join operators, _ and t, formally defined in Chapter 6.We compare the time cost of each operator as well as the “quality” of thefinal a�ne forms.

We used a laptop equipped with Intel(R) Core(TM)2 CPU (1.06GHz)and 2GB of RAM. All results are rounded to two significant digits for thesake of readability.

E�ciency of Computations

We present in this section two benchmarks. We show the e�ciency andprecision of Taylor1+ computations compared to box, octagons and poly-hedra. To this aim, we unroll two recursive schemes, one linear and onenon-linear. The first is a (linear) 2nd order filter, the second involves a3rd order Householder scheme to compute the square root of a given value(usually used when the square root routine is not provided).

We unroll two simple iterative schemes and compare results with theother domains interfaced with APRON, namely boxes, octagons and poly-hedra abstract domains. All numerical values are rounded to two significantdecimal digits for the sake of readability.

132

7.3. Experiments

Linear Iterative Schemes

Consider the following 2nd order filter :

Sn = 0.7En � 1.3En�1 + 1.1En�2 + 1.4Sn�1 � 0.7Sn�2

where En are independent inputs with unknown values in range [0, 1], andSn is the output of the filter at iteration n. Poles are inside the unit circle(norm close to 0.84), so the output in real numbers is provably bounded,and can be tightly estimated by manual methods to [�1.09, 2.75].

We fully unroll this 2nd order filter scheme to compute the abstract valueat each iteration. Figure 7.3 compares accuracy and performance of Tay-lor1+ with three domains, provided in APRON: Boxes (Interval Analysis),Octagons, Polyhedra (both PK [Ja] and PPL [Pro] implementations weretested). The current version of the octogons domain does not integrate anyof the symbolic enhancement methods of [Min06b], which leads to inaccu-rate results. The Polyhedra domain with exact arithmetic (using GMP)gives the exact bounds for the filter output (the scheme is linear). One cansee that Taylor1+ wraps very closely the exact range given by polyhedra(left figure) with great performance (right figure).

Non-linear Iterative Scheme

The non-linear scheme we are considering is based on a Householder methodof order 3 that converges towards the inverse of the square root of an inputA. It originates from an industrial code, used as a test case in [GPBG07];The current estimate of the inverse of the square root is updated as follows:

xn+1 = xn + xn

✓1

2hn +

3

8h2

n

◆

where hn = 1� Ax2

n, A 2 [16, 20] and x0 = 2�4.We study the fully unrolled scheme for 5 iterations, and compare di↵er-

ent implementations of the multiplication; results are shown in Table 7.3.We can see that the results are tight even for non-linear computations. TheSDP solver is costly in time and does not seem to buy much more preci-sion. However, for a larger range for input A, SDP gives tighter resultsthan the standard multiplication. Moreover, the real advantage of SDPover subdividing is that the process of subdividing inputs might becomeintractable when several inputs would need subdividing. We tested herea non-guaranteed SDP solver [Bor99], but we plan in the future to useguaranteed SDP solver such as the one described in [JCK07].

133


2 4 8 12 16 20

# iterations

�8

�16

�24

�32

0

8

16

24

32

upperandlowerboundsofS

⇤ [Boxes]

⇤ [Octagons]

• [Cons.T1+]

� [Polyhedra]

100 200 300 600 900

# iterations

CPU

tim

e(s)

1

2

3

4

⇤ [Boxes]

⇤ [Octagons]

• [Cons.T1+]

� [Polyhedra]

Figure 7.3: Unrolled scheme for the 2nd order filter

Unrolling (5 It.)pA = Axn t(s)

Boxes [0.51 , 8.44] 1⇥10�4

Octagons [0.51 , 7.91] 0.01Polyhedra [2.22 , 6.56] 310T.1+ : [3.97 , 4.51] 1⇥10

�3

• 10 subdivisions [4.00 , 4.47] 0.02• SDP [3.97 , 4.51] 0.16

Table 7.1: Comparison of domains on Householder (o3) example

134

7.3. Experiments

Exact Octagons Polyhedra Uncons. Taylor1+ Taylor1+ (_)InterQ1 [0, 1875] [�3750, 6093] [�2578, 4687] [0, 2500] [0, 1875]Cosine [�1, 1] [�1.50, 1.0] [�1.50, 1.0] [�1.073, 1] [�1, 1]SinCos {1} [0.84, 1.15] [0.91, 1.07] [0.86, 1.15] [0.99, 1.00]InterL2 {0.1} [�1, 1] [0.1, 0.4] [�1, 1] [0.1, 1]InterQ2 {0.36} [�1, 1] [�0.8, 1] [�1, 1] [�0.4, 1]InterQ2b [�0.1, 3] [�3, 27] [�3, 27] [�0.1, 27] [�0.1, 3.77]

Table 7.2: Comparison of Constrained T1+ with APRON’s abstract do-mains

Interpretation of tests

In this section, we compare the results3 obtained with the implementationof our domain, with the octagons and polyhedra APRON domains and theunconstrained Taylor1+ [GGP10].

Table 7.2 shows the numerical range of a variable of interest of each testcase and for each domain, after giving the exact range we hope to find. Itcan be noted that on these examples, Taylor1+ is always more accurate thanoctagons, and is also more accurate than polyhedra on non-a�ne problems.

In Table 7.2, InterQ1 combines linear tests with quadratic expressions,only constrained T1+ finds the right upper bound of the invariant. Cosineis a piecewise 3rd order polynomial interpolation of the cosine function:once again, only constrained T1+ finds the exact invariant. The programSinCos computes the sum of the squares of the sine and cosine functions(real result is 1). InterL2 (resp. InterQ2) computes a piecewise a�ne(resp. quadratic) function of the input, then focuses on the inverse image of1 by this function. In InterQ2b, which is the running example of [GGP10],we do not evaluate the inverse.

We now consider the computation of g(g(x)) on the range x = [�2, 2],where

g(x) =

px2 � x+ 0.5px2 + 0.5

.

We parametrize the program that computes g(g(x)) by a number of teststhat subdivide the domain of the input variable (see Figure 7.4 left for aparametrization by n subdivisions), in order to compare the relative costsand precisions of the di↵erent domains when the size of the program grows.

It can be noted (Figure 7.6 left) that our domain scales up well whilegiving here more accurate results (Figure 7.6 right) than the other do-mains. As a matter of fact, with an interval domain for the noise symbols,

3sources of the examples are available on line http://www.lix.polytechnique.fr/

Labo/Khalil.Ghorbal/CAV2010

135

http://www.lix.polytechnique.fr/Labo/Khalil.Ghorbal/CAV2010

http://www.lix.polytechnique.fr/Labo/Khalil.Ghorbal/CAV2010


g (x ) = sq r t ( x⇤x�x+0.5)/ sq r t ( x⇤x+0.5) ;

x = [ �2 ,2 ] ;

/⇤ f o r n s u b d i v i s i o n s ⇤/h = 4/n ;

i f (�x<=h�2)y = g (x ) ; z = g (y ) ;

. . .

e l s e i f (�x<=i ⇤h�2) /⇤ 2 <= i <= n�1 ⇤/y = g (x ) ; z = g (y ) ;

. . .

e l s e

y = g (x ) ; z = g (y ) ;

Figure 7.4: Implementation of g(g(x)) for x in [-2,2]

x

g(g(x))

20�2

0.54

0.58

0.62

Figure 7.5: plot of g(g(x))

136

7.3. Experiments

polka

ppl

10 100 200 300

# subdivisions (constraints)

400 50050

1

2

3

CPU

tim

e(s)

4

⇤ [Boxes]

⇤ [Octagons]

• [Cons.T1+]

� [Polyhedra]

2 4 8 20

# subdivisions (constraints)

widthofg(g(x))

1

2

3

4

⇤ [Boxes]

⇤ [Octagons]

• [Cons.T1+]

� [Polyhedra]

Figure 7.6: Comparing analysis time and results of the di↵erent APRONdomains.

all abstract transfer functions are linear or at worst quadratic in the num-ber of noise symbols appearing in the a�ne forms. Notice also that ourimplementation detects the squares of variables, which allows constrainedT1+ to give [0, 4.72] without subdivisions while all other domains end with[�1,+1] (noted by the dotted lines on Figure 7.6 right). The fact thatthe results observed for 3 and 5 subdivisions (Figure 7.6 right) are less ac-curate respectively than those observed for 2 and 4 subdivisions, is relatedto the behavior of g(g(x)) on [�2, 2] (see Figure 7.4 right): for examplewhen a change of monotony appears near the center of a subdivision, theapproximations will be less accurate than when it appears at the border.

Join operators Performance

We compare the join operator _ and t defined over CAF. The perturbationcomputed by the first is optimal, while its complexity is cubical functionof the number of noise symbols. The latter is much more e�cient, itscomplexity is linear, but is less precise.

The test is performed over randomly generated a�ne forms of lengthn +m, with coe�cients within [�1, 1]. The computation of the perturba-tion with respect to _ is linear, in our experiments, the needed time neverexceeds 0.01s (gray line in the bottom of figure 7.7 left). On the otherhand, the computation with respect to t needs much more time, in factit is cubical as expected theoretically. In the right hand side of figure 7.7,we observe that the optimal perturbation given by t gives a more accurate

137


10 100 200 300

# noise symbols (n+m)

400 50050

10

20

30

CPU

tim

e(s)

40

� [_]+ [t]

10 100 200 300 400 50050

Perturbation

# noise symbols (n+m)

20

40

60

80

� [_]+ [t]

Figure 7.7: Comparison of the join operators : computation time and ac-curacy of the perturbation

10 100 200 300

noise symbols (n+m)

400 50050

100

200

300

remainingnoisesymbols

400

� [_]+ [t]

Figure 7.8: Comparison of the join operators : remaining noise symbols

perturbation even though the perturbation given by the operator _ staysclose to the optimal one, for instance for n + m = 400, the perturbationgiven by _ is 60.4, whereas the one given by t is 48.4. In addition, weobserve in Figure 7.8, that the operator t leaves in general all the noisesymbols alive, when _ cancels many of them (actually more than a half) byreducing their coe�cient to zero (because of the argmin operator), whichleads to a less precise but “lighter” a�ne forms.

Table 7.3 reconsiders the same examples seen before (see Section 7.3),but now with respect to t. Observe the clear improvement of the invariants

138

7.3. Experiments

Exact Uncons. Taylor1+ Taylor1+ (_) Taylor1+ (t)InterQ1 [0, 1875] [0, 2500] [0, 1875] [0, 1875]Cosine [�1, 1] [�1.073, 1] [�1, 1] [�1, 1]SinCos {1} [0.86, 1.15] [0.99, 1.00] [0.99, 1.00]InterL2 {0.1} [�1, 1] [0.1, 1] [0.066, 0.4]InterQ2 {0.36} [�1, 1] [�0.4, 1] [�0.29, 0.52]InterQ2b [�0.1, 3] [�0.1, 27] [�0.1, 3.77] [�0.1, 3.77]

Table 7.3: _ vs t

of examples InterL2 and InterQ2 due to a more accurate a�ne form afterthe join using the t operator. For instance, in InterQ2, we have to computethe join of �1.25+10✏0+1.25✏2 (the if branch) and 2.5+20✏0+2.5✏1 (theelse branch). The a�ne form obtained for after the join is as follows:

_ : �2.5 + 10✏0 + 7.5⌘3t : �0.625 + 13.75✏0 + 5.625⌘3 .

Indeed, t makes a better repartition of the partial deviations in order tominimize the perturbation, and hence optimize the correlation between theinput variables (encoded by the input noise symbols ✏i) and the final result.Therefore, when we compute the inverse of 1, the input noise symbol ✏0 isfixed, and the t yields to a better result as it maximizes the contributionof that input to the final result.

Figure 7.9 depicts the two zonotopes found in the if and else branchesof example InterQ2as well as the upper bound of these zonotopes given bythe operator _. The projection on the variable y is [�20, 15]. It is slightlylarger than the union of the projections on that variable, that is the unionof [�20, 5] and [�2.5, 10], which gives [�20, 10]. In our implementationwe use a reduced product with intervals to cancel such unnecessary over-approximation. In figure 7.10, we depict the final invariant of such reducedproduct, observe that the upper right corner of the original zonotope istruncated. The black shape of the same figure is the invariant given by thepolyhedra abstract domain.

139


x

y

Figure 7.9: The if and else brancheszonotopes and their join (_)

x

y

Figure 7.10: The final invariant ofInterQ2: Reduced Product of T1+and boxes (gray), Polyhedra (black)

140

CHAPTER 8Conclusion

We have studied in this thesis the interesting combination of two di↵erentclasses of abstract domains : the a�ne forms based abstract domain on onehand, and the polyhedra-like abstract domains on the other hand.

The a�ne sets abstract domain keeps and propagates implicitly (us-ing noise symbols) the linear relations among variables. It shows a greate�ciency of computation as well as accurate results for both linear and non-linear operations. The polyhedra-like family of abstract domains, includespolyhedra, zones, octagons and linear templates, is suitable to handle ex-actly the linear constraints among variables. We use this latter feature toaddress the interpretation of tests over a�ne sets, such as the intersectionof a zonotope (the geometrical concretisation of a�ne sets) and a hyper-plane. The exchange of information between the two abstract domains inuse is formalized as a special logical product of these abstract domains.This particular combination, as shown in the experiments part, leads tofiner invariants than the simple use of reduced product of a�ne sets andintervals.

Moreover, we have extended and generalized the componentwise joinoperators defined in the classical a�ne sets domains to the newly defineddomain. We have characterized a particular set of minimal upper boundswhich minimize the perturbation, and have presented an algorithm, witha cubical complexity in time, to compute these upper bounds. Anotheralgorithm, with a linear complexity, was also defined following ideas fromthe classical perturbed a�ne sets domain. The latter algorithm trades theminimality of the perturbation with the cost of computations and thereforecould be useful either as a first trial analysis or as a convergence accelerator.

The global approach for the join operators (instead of the component-

141

8. Conclusion

wise approach detailed in this work) is an important direction we would liketo explore as a future work. First for the perturbed a�ne sets, followingthe work already done by Goubault and Putot, then for their constrainedvariant.

Another non-less interesting avenue for the future work could be the ab-straction of the coe�cients (the partial deviations) of a�ne sets, as alreadydone for the noise symbols. Such an approach could be relevant to infernon-convex invariants. In fact, the generalized intervals (see definition 3.3.1of Section 3.3) use intervals as coe�cients. As mentioned by Stolfi, this con-stitutes a fundamental di↵erence between generalized intervals and a�neforms, not only because the latter uses real numbers as coe�cients, but alsobecause the joint-range of generalized intervals is not convex, whereas thejoint-range of a�ne form is a special polyhedron (zonotope). This convexityproperty is crucial in a�ne forms as defined and used in our work. Never-theless, the non-convexity property may also be attractive and desired asit permits to catch some non-convex invariants. This characteristic was forinstance exploited in the recent work of interval polyhedra abstract domainof Chen and al. [CMWC09].

142

A

The Support Function

We gather in this appendix some properties (without proofs) of the supportfunction and its dual (or conjugate), the indicator function. An introductionto these particular functions, as well as detailed proofs may be found forinstance in [Roc70].

Recall the definition of the support function.

A.0.1 DefinitionLet C be a non-empty convex set of Rn, then

�(t | C)def= sup

�ht, xi | x 2 C

,

where h·, ·i denotes the usual scalar product over Rn.

The belonging of a vector to a closed convex set may be characterizedusing the support function.

A.0.2 PropositionLet C be a closed convex set. Then x 2 C if and only if

ht, xi �(t | C),

for every vector t 2 Rn.

The support function over a symmetric convex set is symmetric itself.A convex set is said to be symmetric if and only if x 2 C =) �x 2 C. If

�Cdef= {x | �x 2 C}, then C is symmetric if and only if C = �C.

A.0.3 PropositionLet C ⇢ Rn be a convex set, then

�(t | �C) = �(�t | C) .

Moreover, the support function of a symmetric convex set is symmetric,that is, if �C = C, we have �(t | C) = �(�t | C) for all t 2 Rn.

143

A. The Support Function

Proof. By definition, �x 2 C if and only if x 2 �C. The result is thenimmediate from Proposition A.0.2.

Proposition A.0.3 makes it possible to “move” the minus sign from thevariable to the convex set and vice versa; moreover, if the convex set issymmetric, the minus sign can be absorbed by the symmetric convex set.

2 RemarkThe support function of the sum of two convex sets can be expanded to thesum of the support functions of each operand of the sum. Indeed, for twonon-empty convex sets C1, C2 ⇢ Rn, one has �(t | C1+C2) = �(t | C1)+�(t |C2) for all t 2 Rn. The proof is straightforward by the linearity of the scalarproduct:

�(t | C1 + C2) = sup�ht, xi | x 2 C1 + C2

= sup�ht, x1 + x2i | x1 2 C1, x2 2 C2

= sup�ht, x1i | x1 2 C1

+ sup

�ht, x2i | x2 2 C2

= �(t | C1) + �(t | C2)

The support function verifies the triangle inequality.

A.0.4 PropositionThe support function �(t | C) verifies

�(t1 + t2 | C) �(t1 | C) + �(t2 | C), 8t1, 8t2

The last proposition evaluates the composition of the support functionand a linear transformation A from Rm to Rn.

A.0.5 PropositionLet A be a linear transformation from Rm to Rn. For any convex set C ⇢Rn, one has

�(At | C) = �(t | A⇤C), 8t 2 Rm

,

where A⇤ denotes the transpose matrix of the matrix A.

The support function respects the positive homogeneity property.

A.0.6 PropositionFor any non-empty convex set C, one has �(x | �C) = ��(x | C), 0 � <

+1.

The remaining properties concern the dual operations.The first property gives the conjugate of partial a�ne functions.

144

A.0.7 PropositionLet h be a convex function on Rn, and let

f(x) = h(A(x� a)) + hx, bi+ ↵,

where A is a one-to-one linear transformation from Rn onto Rn, a and b

are vectors in Rn, and ↵ 2 R. Then

f⇤(t) = h

⇤(A⇤�1(t� b)) + ht, ai+ ↵⇤,

where A⇤ is the adjoint of A and ↵

⇤ = �↵� ha, bi.

The conjugate function of a sum is defined using the infimal convolution.

A.0.8 PropositionLet f1, . . . , fm be proper convex functions on Rp. Then

(f1⌃ · · ·⌃fm)⇤ = f⇤1+ · · ·+ f

⇤m,

(cl f1 + · · ·+ cl fm)⇤ = cl(f ⇤

1⌃ · · ·⌃f ⇤

m).

If the sets ri(dom fi), i = 1, . . . ,m have a point in common, the closureoperation can be omitted from the second formula, and

(f1 + · · ·+ fm)⇤ = inf{f ⇤

1(x⇤

1) + · · ·+ f

⇤m(x

⇤m) | x

⇤1+ · · ·+ x

⇤m = x

⇤},

where for each x⇤ the infimum is attained.

The dual of a positive scalar multiplication multiply the epigraph of thefunction (called, and denoted as, right multiplication).

A.0.9 PropositionFor any proper convex function f , one has (�f)⇤ = f

⇤�, and (f�)⇤ = �f

⇤,0 � +1.

145

B

Lengthy Proofs

B.1 Lemma 6.2.18: Fenchel Conjugate of L�

Proof. of Lemma 6.2.18. We compute the conjugate of L� at 0, as theconjugate of the sum of

L1�(↵)def= �(�(MX(↵� ↵

X) | B) + ⌧X)

L2�(↵)def= (1� �)(�(MY (↵� ↵

Y ) | B) + ⌧Y )

The conjugate of a sum of convex functions is ruled by Proposition A.0.8.Functions L1� and L2� are proper convex functions, indeed, they are fi-nite for a subset of Rn, and L1�(↵) > �1, L2�(↵) > �1 for every ↵.Moreover, ri(domL1�) = ri(domL2�) = Rn. Therefore, for all ↵ 2 Rn:

L1� + L2�⇤(↵) = inf{L1⇤�(↵1) + L2⇤�(↵2) | ↵1 + ↵2 = ↵} .

To evaluate L⇤�(0), we need to compute the conjugates of L1� and L2�.

Then apply the previous formula for ↵ = 0. We detail the computation ofthe conjugate of the convex function L1�, the computation of L2� is similar.The function L1� is defined as a scalar multiplication of a composition ofthe support function and a linear transformation, the multiplication by M

X

and a translation by �↵X . By Proposition A.0.9:

L1⇤�(↵) = (�(�(MX(↵� ↵X) | B) + ⌧

X))⇤(↵) (B.1.1)

= (((�(MX(↵� ↵X) | B) + ⌧

X))⇤�)(↵) (B.1.2)

Matrix MX is non-singular by construction, so by Proposition A.0.7, with

h$ �, A$MX , a$ ↵

X , b$ 0, ✓ $ ⌧X :

(�(MX(↵� ↵X) | B) + ⌧

X)⇤(↵) = �

⇤(MX⇤�1

(↵) | B) + h↵,↵Xi � ⌧

X.

147

B. Lengthy Proofs

The function �⇤ is the indicator function, conjugate of the support function

� (see Definition 6.2.15). The right multiplication by � in (B.1.2) can nowbe evaluated:

((�(MX(↵� ↵X) | B) + ⌧

X)⇤�)(↵)

= �(�⇤(MX⇤�1

(��1↵) | B) + h��1

↵,↵Xi � ⌧

X) .

We compute L2⇤� in a similar manner by substituting X with Y and � by(1� �).

L1⇤�(↵) = �(�⇤(MX⇤�1

(��1↵) | B) + h��1

↵,↵Xi � ⌧

X)

L2⇤�(↵) = (1� �)(�⇤(MY ⇤�1

((1� �)�1↵) | B) + h(1� �)�1

↵,↵Yi � ⌧

Y )

We proceed by evaluating L⇤�(0).

L⇤�(0) = inf

↵2Rn{L1⇤�(↵) + L2⇤�(�↵)}

= inf↵2Rn

{�(�⇤(MX⇤�1

(��1↵) | B) + h��1

↵,↵Xi � ⌧

X)+

+ (1� �)(�⇤(MY ⇤�1

(�(1� �)�1↵) | B) + h�(1� �)�1

↵,↵Yi � ⌧

Y )}

= inf↵2Rn

{�(�⇤(↵ | �MX⇤

B) + h↵,↵Xi � �⌧

X+

+ (1� �)(�⇤(↵ | (1� �)MY ⇤B)� h↵,↵Y

i � (1� �)⌧Y }

= inf↵2�MX⇤B\(1��)MY ⇤B

{h↵,↵X� ↵

Yi � �⌧

X� (1� �)⌧Y }

= ��(↵X� ↵

Y| �M

X⇤B \ (1� �)MY ⇤

B)� �⌧X� (1� �)⌧Y .

B.2 Theorem 6.2.20: Saddle-PointCharacterization

Proof. of Theorem 6.2.20. We remind that L(↵,�) is a linear functionwith respect to � denoted by a↵�+ b↵ where:

a↵ = �(MX(↵X� ↵) | B) + ⌧

X� �(MY (↵Y

� ↵) | B)� ⌧Y

b↵ = �(MY (↵Y� ↵) | B) + ⌧

Y.

We detail the first cases, that is when �(MX(↵Y�↵

X) | B) < ⌧Y� ⌧

X ,and �(MX(↵Y

� ↵X) | B) = ⌧

Y� ⌧

X . The third and fourth cases aresimilar. The last case is a combination of Propositions 6.2.13 and 6.2.19.

148

B.2. Theorem 6.2.20: Saddle-Point Characterization

First case: �(MX(↵Y� ↵

X) | B) < ⌧Y� ⌧

X . We prove that (↵Y, 0) is

a saddle-point of L. Then, we prove that it is the unique saddle-point. Weknow that, for all ↵ 2 Rn+1, �(MY (↵� ↵

Y ) | B) is non-negative, thus

8↵ 2 Rn+1, ⌧

Y �(MY (↵� ↵

Y ) | B) + ⌧Y

. (B.2.1)

On the other hand, by hypothesis,

�(MX(↵Y� ↵

X) | B) + ⌧X< ⌧

Y,

we multiply this inequality by �, then add (1 � �)⌧Y in both sides of theinequality, we obtain

8� 2 [0, 1], �(�(MX(↵Y� ↵

X) | B) + ⌧X) + (1� �)⌧Y < ⌧

Y. (B.2.2)

We combine equations (B.2.1) and (B.2.2):

8↵ 2 Rn+1, 8� 2 [0, 1],

�(�(MX(↵Y�↵

X) | B)+⌧X)+(1��)⌧Y < ⌧

Y �(MY (↵�↵Y ) | B)+⌧

Y,

which is equivalent to

8↵ 2 Rn+1, 8� 2 [0, 1], L(↵Y

,�) L(↵Y, 0) L(↵, 0),

thus, (↵Y, 0) is a saddle-point of L. We next prove, by contradiction, that

it is the unique saddle-point of L when the considered hypothesis is verified.Suppose that (↵, �) 6= (↵Y

, 0) is saddle-point of L, then L(↵, �) L(↵Y, �).

If a↵ > 0, then by Proposition 6.2.13, � = 1. Therefore, L(↵, �) =�(MX(↵X

� ↵) | B) + ⌧X , and L(↵Y

, �) = �(MX(↵X� ↵

Y ) | B) + ⌧X .

Thus

�(MX(↵X� ↵) | B) + ⌧

X �(MX(↵X

� ↵Y ) | B) + ⌧

X,

However, a↵ > 0 implies:

�(MX(↵X� ↵) | B) + ⌧

X> �(MY (↵Y

� ↵) | B) + ⌧Y

Thus,

�(MX(↵X� ↵

Y ) | B) + ⌧X> �(MY (↵Y

� ↵) | B) + ⌧Y

which leads to the contradiction

�(MY (↵Y� ↵) | B) < 0 .

149

B. Lengthy Proofs

Indeed, for all x, �(x | B) = kxk1 � 0. Now, if a↵ = 0, then L(↵, �) L(↵Y

, �) gives�(MY (↵Y

� ↵) | B) + ⌧Y ⌧

Y,

which makes ↵ = ↵Y , and a↵ = 0 contradicts the hypothesis, as it makes

�(MX(↵X� ↵

Y ) | B) + ⌧X = ⌧

Y.

The last case, a↵ < 0, makes � = 0 by Proposition 6.2.13. Using Propo-sition 6.2.19, we obtain ↵ = ↵

Y , which also contradicts the hypothesis(↵, �) 6= (↵Y

, 0). Thus, the unique saddle-point is indeed (↵Y, 0). The

saddle-value of L is then L(↵Y, 0) = ⌧

Y .Second case: �(MX(↵Y

� ↵X) | B) = ⌧

Y� ⌧

X . If ↵Y = ↵X and ⌧

Y =

⌧X , then it is obvious that ↵ = ↵

X = ↵Y and � can be any real number

within [0, 1]. The saddle-value is then equal to ⌧X (or ⌧

Y ). If however,↵Y = ↵

X and ⌧Y6= ⌧

X , the hypothesis is not satisfied. Similarly, if ↵Y6=

↵X and ⌧

Y = ⌧X . Now, if ↵Y

6= ↵X and ⌧

Y6= ⌧

X , we prove that L admitsinfinitely many saddle-points, such that ↵ = ↵

Y , and that its saddle-value isequal to ⌧

Y . Seen as a linear function, observe that, by hypothesis, a↵Y = 0.Thus

8� 2 [0, 1], 8� 2 [0, 1], L(↵Y,�) = L(↵Y

, �) = b↵Y .

On the other hand,L(↵Y

, �) = ⌧Y L(↵, �),

indeed L(↵, �) can be written as ⌧Y plus a positive term:

L(↵, �) = ��(MX(↵X�↵) | B)+(1��)�(MY (↵Y

�↵) | B)+�(⌧X�⌧Y )+⌧Y,

where the positiveness of (⌧X � ⌧Y ) is due to the equality �(MX(↵Y

�↵X) |

B) = ⌧Y� ⌧

X and the positiveness of �(MX(↵Y� ↵

X) | B). Thus,

8↵ 2 Rn+1, 8� 2 [0, 1], 8� 2 [0, 1], L(↵Y

,�) L(↵Y, �) L(↵, �),

which makes all the points (↵Y, �), � 2 [0, 1], saddle-points of L. The

saddle-value related to all these saddle-points is ⌧Y .

Third and forth cases. The proof is very similar to the first and secondcases respectively by exchanging X by Y , and � by (1� �).

Last case:

�(MX(↵Y� ↵

X) | B) � |⌧Y� ⌧

X|

�(MY (↵Y� ↵

X) | B) � |⌧Y� ⌧

X| .

We just combine Propositions 6.2.13 and 6.2.19. We prove in additionthat � 2]0, 1[, that is the values 0 and 1 are excluded when this hypothesis

150

B.2. Theorem 6.2.20: Saddle-Point Characterization

is satisfied. If � = 1, then by Proposition 6.2.19, ↵ = ↵X , which makes

a↵ = ⌧X� ⌧

Y� �(MY (↵Y

� ↵X) | B) negative by hypothesis. By Propo-

sition 6.2.13, a� < 0 implies the contradiction � = 0, thus a� = 0, andnecessarily ⌧

X� ⌧

Y = �(MY (↵Y� ↵

X) | B), which also contradicts thestrict inequality of the hypothesis. Therefore, � = 1 is impossible. Simi-larly, we prove that � = 0 is also impossible.

151

Bibliography

[AGG08] Xavier Allamigeon, Stephane Gaubert, and Eric Goubault. In-ferring Min and Max Invariants Using Max-plus Polyhedra. InMarıa Alpuente and German Vidal, editors, Proceedings of the15th International Static Analysis Symposium (SAS’08), vol-ume 5079 of Lecture Notes in Computer Science, pages 189–204, Valencia, Spain, July 2008. Springer Verlag.

[AGG10] Assale Adje, Stephane Gaubert, and Eric Goubault. Couplingpolicy iteration with semi-definite relaxation to compute accu-rate numerical invariants in static analysis. In ESOP, pages23–42, 2010.

[apr07] Numerical abstract domain library, 2007. http://apron.cri.ensmp.fr.

[ASB08] Matthias Altho↵, Olaf Stursberg, and Martin Buss. Verifi-cation of uncertain embedded systems by computing reachablesets based on zonotopes. In IFAC World Congress, pages 5125–5130, 2008.

[Ast] Astre. real-time embedded software static analyzer. http://www.astree.ens.fr.

[Bau88] Eckart Baumann. Optimal centered forms. BIT NumericalMathematics, 28:80–87, 1988.

[BCC+09] O. Bouissou, E. Conquet, P. Cousot, R. Cousot, J. Feret, K.Ghorbal, E. Goubault, D. Lesens, L. Mauborgne, A. Mine,S. Putot, X. Rival, and M. Turin. Space software valida-tion using abstract interpretation. In Proc. of the Int. SpaceSystem Engineering Conf., Data Systems in Aerospace (DA-SIA 2009), volume SP-669, pages 1–7, Istambul, Turkey,May 2009. ESA. http://www.lix.polytechnique.fr/Labo/Khalil.Ghorbal/publi/bouissou-al-dasia09.pdf.

[BCC+10] J. Bertrane, P. Cousot, R. Cousot, J. Feret, L. Mauborgne,A. Mine, and X. Rival. Static analysis and verification

153

http://apron.cri.ensmp.fr

http://apron.cri.ensmp.fr

http://www.astree.ens.fr

http://www.astree.ens.fr

http://www.lix.polytechnique.fr/Labo/Khalil.Ghorbal/publi/bouissou-al-dasia09.pdf

http://www.lix.polytechnique.fr/Labo/Khalil.Ghorbal/publi/bouissou-al-dasia09.pdf

Bibliography

of aerospace software by abstract interpretation. In AIAAInfotech@Aerospace (I@A 2010), pages 1–38. AIAA (AmericanInstitute of Aeronautics and Astronautics), Apr. 2010. http://www.di.ens.fr/~mine/publi/bertrane-al-aiaa10.pdf.

[BF07] Sylvie Boldo and Jean-Christophe Filliatre. Formal verifica-tion of floating-point programs. Computer Arithmetic, IEEESymposium on, 0:187–194, 2007.

[Boo] Boost. BOOST C++ Libraries. http://www.boost.org.

[Bor99] B. Borchers. A C library for Semidefinite Programming, 1999.https://projects.coin-or.org/Csdp.

[CC77] P. Cousot and R. Cousot. Abstract interpretation: a unifiedlattice model for static analysis of programs by construction orapproximation of fixpoints. In Conference Record of the FourthAnnual ACM SIGPLAN-SIGACT Symposium on Principles ofProgramming Languages, pages 238–252, Los Angeles, Califor-nia, 1977. ACM Press, New York, NY.

[CC79] Patrick Cousot and Radhia Cousot. Systematic design of pro-gram analysis frameworks. In POPL, pages 269–282, 1979.

[CGG+05] A. Costan, S. Gaubert, E. Goubault, M. Martel, and S. Putot.A policy iteration algorithm for computing fixed points in staticanalysis of programs. Computer Aided Verification, 2005.

[CH78] Patrick Cousot and Nicolas Halbwachs. Automatic discoveryof linear restraints among variables of a program. In POPL,pages 84–96, 1978.

[CM72] William Chuba and Webb Miller. Quadratic convergence in in-terval arithmetic, part i. BIT Numerical Mathematics, 12:284–290, 1972.

[CMC08] L. Chen, A. Mine, and P. Cousot. A sound floating-point poly-hedra abstract domain. In Proc. of the Sixth Asian Sympo-sium on Programming Languages and Systems (APLAS’08),volume 5356 of LNCS, pages 3–18, Bangalore, India, Decem-ber 2008. Springer. http://www.di.ens.fr/~mine/publi/article-chen-al-aplas08.pdf.

154

http://www.di.ens.fr/~mine/publi/bertrane-al-aiaa10.pdf

http://www.di.ens.fr/~mine/publi/bertrane-al-aiaa10.pdf

https://projects.coin-or.org/Csdp

http://www.di.ens.fr/~mine/publi/article-chen-al-aplas08.pdf

http://www.di.ens.fr/~mine/publi/article-chen-al-aplas08.pdf

Bibliography

[CMWC09] L. Chen, A. Mine, J. Wang, and P. Cousot. Interval poly-hedra: An abstract domain to infer interval linear relation-ships. In Proc. of the 16th Int. Static Analysis Symposium(SAS’09), volume 5673 of LNCS, pages 309–325, Los Angeles,CA, USA, August 2009. Springer. http://www.di.ens.fr/

~mine/publi/article-chen-al-sas09.pdf.

[Com05] C. Combastel. A state bounding observer for uncertain non-linear continuous-time systems based on zonotopes. In Deci-sion and Control, 2005 and 2005 European Control Conference.CDC-ECC ’05. 44th IEEE Conference on, pages 7228 – 7234,dec. 2005.

[coq] The coq proof assistant. http://coq.inria.fr.

[Cou02] P. Cousot. Constructive design of a hierarchy of semanticsof a transitio system by abstract interpretation. TheoreticalComputer Science, 277(1–2):47–103, 2002.

[Cou05] Patrick Cousot. Iterative reduced product, 2005. http://web.mit.edu/16.399/www/.

[CS93] Joao L. D. Comba and Jorge Stolfi. A�ne arithmetic and itsapplications to computer graphics. SIBGRAPI’93, 1993.

[dDLM06] Florent de Dinechin, Christoph Quirin Lauter, and GuillaumeMelquiond. Assisted verification of elementary functions usinggappa. In Proceedings of the 2006 ACM symposium on Appliedcomputing, SAC ’06, pages 1318–1322. ACM, 2006.

[dFS97] Luiz H. de Figueiredo and Jorge Stolfi. Self-Validated Numer-ical Methods and Applications. Brazilian Mathematics Collo-quium monographs. IMPA/CNPq, Rio de Janeiro, Brazil, 1997.

[DGP+09] D. Delmas, E. Goubault, S. Putot, J. Souyris, K. Tekkal,and F. Vedrine. Towards an industrial use of FLUCTUATon safety-critical avionics software. In Proceedings of FormalMethods in Industrial Critical Systems, LNCS 5825, pages 53–69. Springer-Verlag, 2009.

[E.W66] Cheney E.W. Introduction to approximation theory. McGraw-Hill Book Co. (New York), 1966.

[Fla88] B. Flavigny. A new machine providing accuracy estimates ofcomputation results. In 12th IMACS Congress, Paris, 1988.

155

http://www.di.ens.fr/~mine/publi/article-chen-al-sas09.pdf

http://www.di.ens.fr/~mine/publi/article-chen-al-sas09.pdf

http://coq.inria.fr

http://web.mit.edu/16.399/www/

http://web.mit.edu/16.399/www/

Bibliography

[Flu] Fluctuat. Static analysis for numerical precision. http://www-list.cea.fr/labos/gb/LSL/fluctuat/index.html.

[FMH] Jean-Christophe Fillitre, Claude March, and Thierry Hubert.The caduceus tool for the verification of c programs. http://caduceus.lri.fr.

[Gap] Gappa. Gnration automatique de preuves de proprits arithm-tiques. http://gappa.gforge.inria.fr/.

[GGP09] K. Ghorbal, E. Goubault, and S. Putot. The zonotope abstractdomain Taylor1+. In Proc. of the 21th Int. Conf. on ComputerAided Verification (CAV 2009), volume 5643 of Lecture Notesin Computer Science, pages 627–633, Grenoble, France, June2009. Springer. http://www.lix.polytechnique.fr/Labo/Khalil.Ghorbal/publi/ghorbal-cav09.pdf.

[GGP10] K. Ghorbal, E. Goubault, and S. Putot. A logical prod-uct approach to zonotope intersection. In Proc. of the22th Int. Conf. on Computer Aided Verification (CAV 2010),Lecture Notes in Computer Science, Edinburgh, UK, July2010. Springer. http://www.lix.polytechnique.fr/Labo/Khalil.Ghorbal/publi/ghorbal-cav10.pdf.

[Gir05] Antoine Girard. Reachability of uncertain linear systems us-ing zonotopes. In Hybrid Systems: Computation and Control,volume 3414 of Lecture Notes in Computer Science, pages 291–305. Springer Berlin / Heidelberg, 2005.

[GLG08] Antoine Girard and Colas Le Guernic. Zonotope/hyperplaneintersection for hybrid systems reachability analysis. In MagnusEgerstedt and Bud Mishra, editors, Hybrid Systems: Compu-tation and Control, Lecture Notes in Computer Science, pages215–228. Springer Berlin / Heidelberg, 2008.

[GMP02] Eric Goubault, Matthieu Martel, and Sylvie Putot. Assertingthe precision of floating-point computations: A simple abstractinterpreter. In Proceedings of the 11th European Symposium onProgramming Languages and Systems, ESOP ’02, pages 209–212, London, UK, UK, 2002. Springer-Verlag.

[GMP06] E. Goubault, M. Martel, and S. Putot. Some future challengesin the validation of control systems. In European Congress onEmbedded Real Time Software (ERTS), 2006.

156

http://www-list.cea.fr/labos/gb/LSL/fluctuat/index.html

http://www-list.cea.fr/labos/gb/LSL/fluctuat/index.html

http://caduceus.lri.fr

http://caduceus.lri.fr

http://gappa.gforge.inria.fr/

http://www.lix.polytechnique.fr/Labo/Khalil.Ghorbal/publi/ghorbal-cav09.pdf




Bibliography

[gnu] Gnucash, free accounting software. http://www.gnucash.org.

[GNZ03] Leonidas J. Guibas, An Nguyen, and Li Zhang. Zonotopesas bounding volumes. In Proceedings of the fourteenth an-nual ACM-SIAM symposium on Discrete algorithms, SODA’03, pages 803–812, 2003.

[Gol91] D. Goldberg. What every computer scientist should knowabout floating-point arithmetic. ACM Computing Surveys, 23,No 1, March 1991.

[Gou01a] Eric Goubault. Static analyses of the precision of floating-pointoperations. In SAS, pages 234–259, 2001.

[Gou01b] Eric Goubault. Static analyses of the precision of floating-pointoperations. In Patrick Cousot, editor, Static Analysis, volume2126 of Lecture Notes in Computer Science, pages 234–259.Springer Berlin / Heidelberg, 2001.

[GP06] Eric Goubault and Sylvie Putot. Static analysis of numericalalgorithms. In SAS, pages 18–34, 2006.

[GP08] Eric Goubault and Sylvie Putot. Perturbed a�ne arithmetic forinvariant computation in numerical program analysis. CoRR,abs/0807.2961, 2008.

[GP09] Eric Goubault and Sylvie Putot. A zonotopic framework forfunctional abstractions. CoRR, abs/0910.1763, 2009.

[GP11] Eric Goubault and Sylvie Putot. Static analysis of finite preci-sion computations. In Ranjit Jhala and David Schmidt, editors,Verification, Model Checking, and Abstract Interpretation, vol-ume 6538 of Lecture Notes in Computer Science, pages 232–247. Springer Berlin / Heidelberg, 2011.

[GPBG07] E. Goubault, S. Putot, P. Baufreton, and J. Gassino. Staticanalysis of the accuracy in control systems: Principles andexperiments. In Proceedings of Formal Methods in IndustrialCritical Systems, LNCS 4916. Springer-Verlag, 2007.

[GT06] Sumit Gulwani and Ashish Tiwari. Combining abstract inter-preters. In PLDI, pages 376–386, 2006.

[Han69] E. R. Hansen. The centered form. Topics in Interval Analysis,pages 102–106, 1969.

157

http://www.gnucash.org

Bibliography

[Han75] Eldon R. Hansen. A generalized interval arithmetic. In IntervalMathematics, volume 29 of LNCS, pages 7–18. Springer, 1975.

[Hoa83] C. A. R. Hoare. An axiomatic basis for computer programming.Commun. ACM, 26:53–56, January 1983.

[IEE85] IEEE Standards Committee 754. IEEE Standard for binaryfloating-point arithmetic, ANSI/IEEE Standard 754-1985. In-stitute of Electrical and Electronics Engineers, New York, 1985.Reprinted in SIGPLAN Notices, 22(2):9-25, 1987.

[IEE08] IEEE. IEEE Std. 754TM-2008 Standard for Floating-PointArithmtic. IEEE, 3 Park Avenue, NY 10016-5997, USA, 2008.

[Ja] B. Jeannet and al. Newpolka library. http://www.inrialpes.fr/pop-art/people/bjeannet/newpolka.

[JC08] Fabienne Jzquel and Jean-Marie Chesneaux. Cadna: a libraryfor estimating round-o↵ error propagation. Computer PhysicsCommunications, 178(12):933 – 955, 2008.

[JCK07] C. Jansson, D. Chaykin, and C. Keil. Rigorous error boundsfor the optimal value in semidefinite programming. SIAM J.Numer. Anal., 46(1):180–200, 2007.

[Jea90] Vignes Jean. Estimation de la prcision des rsultats de logicielsnumriques, 1990.

[JM88] Chesneaux J.-M. Modelisation et conditions de validit de lamthode cestac, 1988.

[JP89] Faye J.-P. Implementation synchrone de cestac, 1989.

[Kag86] H Kagiwada. Numerical derivatives and nonlinear analysis.Plenum Press, New York, NY, USA, 1986.

[Kar76] Michael Karr. A�ne relationships among variables of a pro-gram. Acta Inf., 6:133–151, 1976.

[Kar84] Narendra Karmarkar. A new polynomial-time algorithm forlinear programming. Combinatorica, 4(4):373–396, 1984.

[Kei05] C. Keil. Lurupa - rigorous error bounds in linear programming.In Algebraic and Numerical Algorithms and Computer-assistedProofs, Dagstuhl Seminar 5391, 2005.

158

http://www.inrialpes.fr/pop-art/people/bjeannet/newpolka

http://www.inrialpes.fr/pop-art/people/bjeannet/newpolka

Bibliography

[Kei08] C. Keil. A comparison of software packages for verified linearprogramming, 2008.

[Kol97] Lubomir Kolev. Use of interval slopes for the irrational part offactorable functions. Reliable Computing, 3:83–93, 1997.

[Kol01] Lubomir V. Kolev. Automatic computation of a linear intervalenclosure. Reliable Computing, 7:17–28, 2001.

[Kol04] Lubomir V. Kolev. An improved interval linearization for solv-ing nonlinear problems. Numerical Algorithms, 37:213–224,2004.

[Kol07] Lubomir V. Kolev. Optimal multiplication of g-intervals. Re-liable Computing, 13(5):399–408, 2007.

[Kuh98] Wolfgang Kuhn. Zonotope dynamics in numerical quality con-trol. In Hans-Christian Hege and Konrad Polthier, editors, Vi-sualization and Mathematics, pages 125–134. Springer Verlag,Heidelberg, 1998.

[Le 92] Harvey Le Verge. A note on Chernikova’s algorithm. TechnicalReport 635, IRISA, Rennes, France, February 1992.

[LG09] C. Le Guernic. Reachability analysis of hybrid systems withlinear continuous dynamics. PhD thesis, Universite Grenoble1 - Joseph Fourier, Grenoble, France, 2009.

[LL09] Vincent Laviron and Francesco Logozzo. Subpolyhedra: A(more) scalable approach to infer linear inequalities. In VM-CAI, pages 229–244, 2009.

[Mar02] Matthieu Martel. Propagation of roundo↵ errors in finite pre-cision computations: A semantics approach. In Proceedings ofthe 11th European Symposium on Programming Languages andSystems, ESOP ’02, pages 194–208. Springer-Verlag, 2002.

[Mes02] Frederique Messine. Extensions of a�ne arithmetic: Applica-tion to unconstrained global optimization. Journal of UniversalComputer Science, 8:992–1015, 2002.

[Min01] A. Mine. The octagon abstract domain. In Proc. ofthe Workshop on Analysis, Slicing, and Transformation(AST’01), IEEE, pages 310–319, Stuttgart, Gernamy, October

159

Bibliography

2001. IEEE CS Press. http://www.di.ens.fr/~mine/publi/article-mine-ast01.pdf.

[Min04a] A. Mine. Relational abstract domains for the detection offloating-point run-time errors. In Proc. of the European Sym-posium on Programming (ESOP’04), volume 2986 of LectureNotes in Computer Science, pages 3–17. Springer, 2004.

[Min04b] A. Mine. Weakly Relational Numerical Abstract Domains. PhDthesis, Ecole Polytechnique, Palaiseau, France, December 2004.

[Min06a] A. Mine. The octagon abstract domain. Higher-Order andSymbolic Computation, 19(1):31–100, 2006. http://www.di.ens.fr/~mine/publi/article-mine-HOSC06.pdf.

[Min06b] A. Mine. Symbolic methods to enhance the precision of numer-ical abstract domains. In VMCAI’06, pages 348–363, 2006.

[Miy00] Shinya Miyajima. On the improvement of the division of thea�ne arithmetic. http://www.kashi.info.waseda.ac.jp/Non-linear/thesis-e.html, 2000.

[MK04a] Shinya Miyajima and Masahide Kashiwagi. A dividing methodutilizing the best multiplication in a�ne arithmetic. IEICEElectronic Express, 1(7):176–181, 2004.

[MK04b] Shinya Miyajima and Masahide Kashiwagi. A method whichfinds the maxima and minima of a multivariable function ap-plying a�ne arithmetic. In NAA, pages 424–431, 2004.

[MY59] Ramon E. Moore and C. T. Yang. Interval analysis I. TechnicalReport LMSD-285875, Lockheed Missiles and Space Division,Sunnyvale, CA, USA, 1959.

[NO79] Greg Nelson and Derek C. Oppen. Simplification by cooper-ating decision procedures. ACM Trans. Program. Lang. Syst.,1:245–257, October 1979.

[Pro] PPL Project. The Parma Polyhedra Library. http://www.cs.unipr.it/ppl/.

[Rem34] E. Ya. Remez. Sur le calcul e↵ectif des polynomesd’approximation de tchebichef, 1934.

160

http://www.di.ens.fr/~mine/publi/article-mine-ast01.pdf

http://www.di.ens.fr/~mine/publi/article-mine-ast01.pdf

http://www.di.ens.fr/~mine/publi/article-mine-HOSC06.pdf

http://www.di.ens.fr/~mine/publi/article-mine-HOSC06.pdf

http://www.kashi.info.waseda.ac.jp/Non-linear/thesis-e.html

http://www.kashi.info.waseda.ac.jp/Non-linear/thesis-e.html

http://www.cs.unipr.it/ppl/

http://www.cs.unipr.it/ppl/

Bibliography

[RMB05] N. Revol, K. Makino, and M. Berz. Taylor models and floating-point arithmetic: proof that arithmetic operations are vali-dated in cosy. The journal of Logic and Algebraic Programming,pages 135–154, 2005.

[Roc70] R. Tyrrell Rockafellar. Convex Analysis. Princeton UniversityPress, 1970.

[SD07] Jean Souyris and David Delmas. Experimental assessment ofastre on safety-critical avionics software. In Francesca Sagliettiand Norbert Oster, editors, Computer Safety, Reliability, andSecurity, volume 4680 of Lecture Notes in Computer Science,pages 479–490. Springer Berlin / Heidelberg, 2007.

[SKH03] Axel Simon, Andy King, and Jacob M. Howe. Two variablesper linear inequality as an abstract domain. In Proceedings ofthe 12th international conference on Logic based program syn-thesis and transformation, LOPSTR’02, pages 71–89, Berlin,Heidelberg, 2003. Springer-Verlag.

[SLMW06] Huahao Shou, Hongwei Lin, Ralph R. Martin, and GuojinWang. Modified a�ne arithmetic in tensor form for trivari-ate polynomial evaluation and algebraic surface plotting. J.Comput. Appl. Math., 195:155–171, October 2006.

[SS98] Michael J. Schulte and James E. Stine. A combined intervaland floating-point divider. Signals, Systems and Computers,1:218–222, 1998.

[SS04] David Speyer and Bernd Sturmfels. Tropical mathematics.Combinatorics, 2004.

[SSM05] Sriram Sankaranarayanan, Henny B. Sipma, and Zohar Manna.Scalable analysis of linear systems using mathematical pro-gramming. In VMCAI, pages 25–41, 2005.

[Ste74] Pat H. Sterbenz. Floating-point Computation. Prentice-Hallseries in automatic computation, 1974.

[Tar55] A. Tarsky. A lattice-theoretical fixpoint theorem and its appli-cations. Pacific J. Math., 5:285–309, 1955.

[tre] Decoder library for vorbis audio format. http://wiki.xiph.org/index.php/Tremor.

161

http://wiki.xiph.org/index.php/Tremor

http://wiki.xiph.org/index.php/Tremor

Bibliography

[Vig78] J. Vignes. New methods for evaluating the validity of the re-sults of mathematical computations. Mathematics and Com-puters in Simulation, 20(4):227 – 249, 1978.

[Vig93] J. Vignes. A stochastic arithmetic for reliable scientific compu-tation. Mathematics and Computers in Simulation, 35(3):233– 261, 1993.

[wik] Wikipedia, the free encyclopedia. http://www.wikipedia.org.

[ZW90] Shen Zuhe and M. A. Wolfe. On interval enclosures using slopearithmetic. Appl. Math. Comput., 39:89–105, September 1990.

162

http://www.wikipedia.org

http://www.wikipedia.org

Documents

Ph.D Thesis, Constrained Affine Setskhalilghorbal.info › assets › pdf › papers › thesis-KG.pdf · Zalila, Mehdi Frikha, Taouﬁk Hnia, Ala Ben Abbes, Mohamed Chakroun