Computing Program Reliability Using Forward-Backward Precondition Analysis and Model Counting

The goal of probabilistic static analysis is to quantify the probability that a given program satisfies/violates a required property (assertion). In this work, we use a static analysis by abstract interpretation and model counting to construct probabilistic analysis of deterministic programs with uncertain input data, which can be used for estimating the probabilities of assertions (program reliability). In particular, we automatically infer necessary preconditions in order a given assertion to be satisfied/violated at run-time using a combination of forward and backward static analyses. The focus is on numeric properties of variables and numeric abstract domains, such as polyhedra. The obtained preconditions in the form of linear constraints are then analyzed to quantify how likely is an input to satisfy them. Model counting techniques are employed to count the number of solutions that satisfy given linear constraints. These counts are then used to assess the probability that the target assertion is satisfied/violated. We also present how to extend our approach to analyze non-deterministic programs by inferring sufficient preconditions. We built a prototype implementation and evaluate it on several interesting examples.


Introduction
Program verification is often concerned by only determining whether one assertion always holds at a given program point. However, there are many applications where we need to know a more fine-grained information about how likely a target assertion (event) is to be satisfied/violated. Examples of other target events include the invocation of a certain method, the access to confidential information, etc. In those cases, we want to distinguish between what is possible event (even with extremely low probability) and what is likely event (possible with higher probability). In this work, we show how to calculate the reliability of programs by using combination of static analysis by abstract interpretation and model counting. In particular, we are interested to learn how the presence of uncertainty in the inputs can affect the probability of assertions at the exit of the program. This is an important problem to consider, since uncertainty is a common aspect of many real-world software systems today (e.g., medicine and aerospatial domains).
Abstract interpretation [6,7,8] is a general theory for approximating the semantics of programs. It provides safe (all answers are correct) and efficient (with a good trade-off between precision and cost) static analyses of run-time properties of real programs. It is based on the idea of approximations between concrete and abstract domains of program properties. Its practical success is mainly enabled by the design of numerical abstract domains, which reason on numerical properties of variables. For example, the interval domain [6], which is non-relational, infers the information about the possible values of individual variables; the octagon domain [25], which is weakly relational, infers unit binary linear constraints between program variables; and the polyhedra domain [10], which is fully relational, infers the linear constraints between all program variables. Abstract interpretation is a powerful technique for deriving approximate, albeit computable analyses, by using fully automatic algorithms. These abstract analyses pay the price for finite computability (always terminate) by an inevitable loss of precision. We use abstract analyses for automatic inference of (over-approximated) invariants by forward analysis, and (over-approximated) necessary preconditions by backward analysis. These two abstract analyses can be combined such that the results of the first analysis refine the results of the second one. In this work, we use a combination of forward and backward analyses to automatically generate the necessary preconditions on input variables that lead to the satisfaction/violation of a given assertion. If obtained preconditions are satisfied by some concrete values for input variables, then they represent input values that will allow the given assertion to be definitely satisfied/violated by all program executions branching from them. In fact, we run two backward analyses: the first one determines necessary preconditions for the given assertion to be satisfied, while the second one determines necessary preconditions for the given assertion to be violated.
Model counting is the problem of determining the number of solutions of a given constraint (formula). The LattE tool [1] implements state-of-the-art algorithms for computing volumes, both real and integral, of convex polytopes as well as integrating functions over those polytopes. More specifically, we use the LattE tool to estimate algorithmically the exact number of points of a bounded (possibly very large) discrete domain that satisfy given linear constraints.
In this paper, we describe a method which uses abstract interpretation-based static analysis and model counting to perform a specific type of quantitative analysis of deterministic programs, that is the calculation of program reliability. Calculating the program reliability involves counting the number of solutions to preconditions, which are given in the form of linear constraints between variables, i.e. elements from the polyhedra domain, that ensure satisfaction/violation of a given assertion by using model counting, and dividing it by the total space of values of the inputs. We assume that the input values are uniformly distributed within their finite discrete domain. Since the set of generated preconditions represents an over-approximation, we compute the reliability of programs as upper and lower bounds of exact probabilities that a given assertion is satisfied or violated. The reported uncertainty is due to the approximation inherent in abstract interpretation, which is introduced in order to obtain a scalable and fully automatic analysis.
The focus here is on programs whose input values range over finite discrete domains. Thus, we obtain a finite input domain and so we can use model counting algorithms to compute the required probabilities. We also restrict ourselves to the domain of linear integer arithmetic, since this is supported by LattE and the polyhedra numeric domain we use.
We also consider an extension of our approach to non-deterministic programs. For non-deterministic programs, sufficient and necessary preconditions no more coincide [26]. Sufficient preconditions ensure that the target invariant holds for all sequences of non-deterministic choices made at each execution step, whereas necessary preconditions ensure that the target invariant holds for at least one sequence of non-deterministic choices made at each execution step. In effect, increasing the non-determinism will reduce the set of sufficient preconditions and enlarge the set of necessary preconditions. Hence, for non-deterministic programs we construct backward analyses for inferring (under-approximated) sufficient preconditions that lead to the satisfaction/violation of a given assertion. The calculation of reliability is then similar to the one for deterministic programs.
We have developed a prototype probabilistic static analyzer which uses the APRON library [21] to implement numeric property domains and the LattE tool [1] to implement model counting algorithms. APRON provides a common high-level API to the most common numerical property domains, such as intervals, octagons, and polyhedra. We have implemented a combination of forward and backward analyses of deterministic (resp., non-deterministic) C programs for the automatic inference of invariants and necessary (resp. sufficient) preconditions in all program points. Our static analyzer has two components: (1) it computes the required preconditions in the input program point for a given assertion to be satisfied/violated, and (2) it then calls LattE to count the number of solutions of those preconditions and calculates the program reliability.
The main contributions of this work are: -We demonstrate how to calculate the program reliability of deterministic and non-deterministic programs using static analysis by abstract interpretation and model counting. -We develop a probabilistic static analyzer, which uses numerical property domains from the APRON library and the LattE model counting tool. -Finally, we evaluate our method for probabilistic static analysis of C programs and show how to handle a set of small but compelling benchmarks.

Motivating Examples
Consider the program P 1 in Fig. 1. Suppose that the initial value of i ranges over the integer domain [0,19], and the initial value is independently and uniformly distributed across this range. When (i ≥ 10) the variable k is assigned to 12, otherwise k is assigned to 50. A forward invariant analysis will find the invariant k = 12 ∨ k = 50 at point l final . Therefore, the assertion (k ≤ 30) can be satisfied (when k = 12) and can be violated (when k = 50). We are interested in inferring necessary preconditions on the input state at control point l input , when the assertion is satisfied and when the assertion is violated. We back-propagate necessary conditions of satisfaction and violation of the assertion from point l final to l input . A backward necessary condition analysis will infer the precondition i ≥ 10 at point l input assuming that the assertion is satisfied, and the precondition i < 10 at point l input assuming that the assertion is violated. The size of the input domain is 20, since i ∈ [0, 19]. By calling LattE to count the number of solutions to the above preconditions, we can calculate that the probability for the assertion to be satisfied (success probability) is: 10 20 = 50%, and the probability for the assertion to be violated (failure probability) is: 10 20 = 50%. Consider the program P 2 in Fig. 2. A forward invariant analysis will find the invariant 100 ≤ j ≤ 109 at point l final , so the corresponding assertion can be satisfied (when 100 ≤ j ≤ 105) and can be violated (when 105 < j ≤ 109). A backward necessary condition analysis will infer the precondition 0 ≤ j ≤ 5 at point l input for the assertion to be satisfied, and the precondition 5 < j ≤ 9 at point l input for the assertion to be violated. Therefore, we can calculate that the success probability is: 6 10 = 60%, and the failure probability is: 4 10 = 40%.

Forward-Backward Precondition Analyses
We describe the combination of forward and backward analyses in the framework of abstract interpretation for inferring necessary preconditions that a given assertion is satisfied/violated. The principle of the combination is to use the result of the forward invariant analysis in the subsequent backward necessary condition analysis in order to get more precise results which are still sound.
Syntax. We consider a simple deterministic programming language that is a subset of C, which will be used to exemplify our work. The control point (location) before each statement and at the end of each block is associated to a unique label l ∈ L. The syntax of the language is given by: where n ranges over integers, [n, n ] ranges over integer intervals, x ranges over variable names Var, and ⊕ over arithmetic-logic operators. Non-deterministic interval assignment x:=[n, n ] represents an input statement which assigns to the input variable x a uniformly distributed random value from the interval [n, n ]. This interval assignment can occur only in the input section of the program, and is used to model input uncertainties. The set of all generated statements s is denoted by Stm, whereas the set of all expressions e is denoted by Exp. We assume l input is the location after the input statements (i.e. it denotes the end of the input section) and l final is the location at the end of the program, where an assertion assert(e f ) is posed. Without loss of generality, a program is a sequence of statements followed by a single assertion. Let E ⊆ E be the set of input environments obtained after executing the input statements. The set of input states is I = {(l input , ρ) | ρ ∈ E}. The invariant inference (reachability) problem consists of finding out the possible environments (values of all variables) that may arise at each control location. The concrete semantic domain is the complete lattice of the powerset of states (P(Σ), ⊆, ∪, ∩, ∅, Σ), and the concrete semantics in the form of invariant states encountered branching from I, denoted inv(I), is: where post(X) = {σ ∈ Σ | ∃σ ∈ X.σ −→ σ} and lfp I f is the least fixed point of the function f greater than I.
In this work, we consider the problem of inferring necessary preconditions. Assume that a program exits with l final : assert(e f ). We want to distinguish between program termination that leads to the satisfaction of the final assertion at l final from the one that leads to the violation of the final assertion at l final .
(ρ) = 0} be the invariant sets which enforce the assertion at the point l final to be satisfied and violated, respectively, and coincide with inv(I) everywhere else. In the following, F may represent either F sat or F viol . Given an invariant set F to obey, we want to infer the set of input states cond(F ) that guarantee that all program executions stay in F : where pre(X) = {σ ∈ Σ | ∃σ ∈ X.σ −→ σ } is the set of predecessors of X, and gfp F f is the greatest fixed point of the function f smaller than F . The above two fixed points (lfp and gfp) exist according to Tarski, as the corresponding functions are monotone and continuous in the complete lattice of state sets.
Given a set of input environments E ⊆ E, we can compute the subsets E sat and E viol of input environments that lead to satisfaction and violation of the final assertion as: Abstract semantics. Transition systems can become large or infinite for real programs, so that neither inv(I) nor cond(F ) can be computed at all. Therefore, we seek for sound approximations. The actual computable abstract analyses can be defined as over-approximations of the concrete semantics. A static analyzer will infer over-approximated necessary preconditions so that all program executions that lead to satisfaction (resp., violation) of the final assertion are taken into account, thus computing an over-approximation of E sat (resp., E viol ).
We consider an abstract domain (D, D ), such that there exist a Galois We assume that the abstract domain D is equipped with sound operators for ordering D , least upper bound (join) D , greatest lower bound (meet) D , bottom ⊥ D , top D , widening D , and narrowing D , as well as sound transfer functions for assignments −−−−→ assign D : We let lfp # (resp., gfp # ) denote an abstract post-fixpoint (resp., pre-fixpoint) operator, derived using widening D and narrowing D , that over-approximates the concrete lfp (resp., gfp) [8]. Finally, the concrete domain on which concrete semantics is defined (P(Σ), ⊆) is abstracted using a Galois connection P(Σ), Hence, each control point l ∈ L is associated with an element d ∈ D in the abstract semantics. We define a family of forward transfer functions − → δ l,l : D → D that compute the effect of any concrete transition at the abstract level. The definition of − → δ l,l for some statements is: . Suppose that the abstract element α D (E) = d input ∈ D is at the input control point l input . We can collect the abstractions of possible environments at each program control point using the following forward interpreter: such that the result of the forward analyzer is . We want to design two backward abstract interpreters that propagate backwards the invariants ensuring that the final assertion is satisfied d sat final and violated d viol final , respectively. The backward interpreters refine the invariants found by − → F # . Thus, they take two elements of D as inputs: an invariant to refine and an invariant to propagate backwards. They are based on a family of backward transfer functions ← − δ l,l : D × D → D, which map a precondition to refine and a postcondition into a refined precondition. The definition of ← − δ l,l for some statements is: . That is, d is refined into a stronger precondition by taking into account the postcondition d .
Suppose that F sat The backward interpreters are defined as: such that the results of the two backward analyzers are: The necessary preconditions that the final assertion is satisfied and violated are d sat , respectively. We can now compute the over-approximated sets E # sat and E # viol of input environments E sat and E viol that lead to satisfaction and violation of the final assertion as: Polyhedra numeric abstract domain. Although, the abstract domain D can be instantiated with different property domains, in the following, we will use the polyhedra numerical abstract domain for D. This is due to the fact that only for the polyhedra domain all necessary abstract operations and transfer functions, such as Section 5), are implemented in the APRON library. The Polyhedra domain [10], denoted as P, P , is a fully relational numerical property domain, which allows manipulating conjunctions of linear inequalities of the form α 1 x 1 + . . . + α n x n ≥ β, where x 1 , . . ., x n are program variables and α i , β ∈ R (reals). The abstract operations of the Polyhedra domain are defined in [10]. Polyhedra analysis is expensive but also very precise.
A property element is represented as a conjunction of linear constraints given in the matrix form A, b that consists of a matrix A ∈ R m×n and a vector b ∈ R m , where n is the number of variables and m is the number of constraints. This is called the constraint representation of polyhedra elements, and there is another so-called generator representation. One representation can be converted to the other one using the Chernikova's algorithm [5]. Some domain operations can be performed more efficiently using the generator representation only, others based on the constraint representation, and some making use of both. We now present some operations that can be defined using the constraint representation.
The concretization function is: We also need widening since the polyhedra domain has infinite strictly increasing chains.
where c represents one constraint from A 1 , b 1 . The transfer function −−−−→ filter P abstracts affine inequality expressions by adding them to the input polyhedra.

Computing Success and Failure Probabilities
The overall goal of our approach is to answer questions about the probability of assertions at the exit of a deterministic program P . We define the success probability as the probability that a program terminates successfully with the target assertion being satisfied. The failure probability is the probability that a program hits a failure caused by the target assertion being violated. The combination of forward and two backward analyses infers the necessary preconditions, denoted d sat , that the target assertion is satisfied and violated, respectively. Calculating the likelihood of satisfying/violating the given assertion involves counting the number of solutions to d sat input /d viol input and dividing it by the total space of possible values in its input domain E. In particular, we use model counting techniques and LattE tool [1] to estimate algorithmically the exact number of points of a bounded (possibly very large) discrete domain E that satisfy the (linear) constraints d sat input and d viol input . We restrict our attention on programs that have finite input domains E and on numeric abstract elements from the polyhedra domain expressed as linear integer arithmetic (LIA) constraints over program variables whose values are uniformly distributed over their input domain.
We use the LattE tool to compute the number of elements of E that satisfy d sat input and d viol input , denoted #(d sat input ) and #(d viol input ). The size of E, denoted #(E), is the product of domain's sizes of all input variables in program P . Thus, we have: #(E) = x:=[n,n ]∈P |n −n+1|. Note that the exact sets of input states that lead to satisfaction and violation of the given assertion are E sat and E viol , and their sizes are denoted #(E sat ) and #(E viol ). Since the found necessary preconditions d sat input and d viol input are over-approximations of E sat and E viol respectively, we have #(E sat ) ≤ #(d sat input ) and #(E viol ) ≤ #(d viol input ). Moreover, the input environments which are not in γ D (d sat input ), that is they are in E\γ D (d sat input ), definitely lead to the violation of the assertion. Therefore, we have # . By similar reasoning as above, we can also establish that: . Finally, we calculate the success and failure probability of a program P as follows: Note that P r s (P ) + P r f (P ) = 1. We use model counting and the LattE tool [1] to determine the number of solutions of a given constraint. LattE accepts LIA constraints expressed as a system of linear inequalities each of which defines a hyperplane encoded as the matrix inequality: Ax ≤ B, where A is an m × n matrix of coefficients and B is an m × 1 column vector of constants. Most LIA constraints can easily be converted into the form: a 1 x 1 + . . . + a n x n ≤ b. For example, ≥ and > can be flipped by multiplying both sides by −1, and strict inequalities < can be converted by decrementing the constant b. In LattE, equalities = can be expressed directly. If we have disequalities =, they can be handled by counting a set of constraints that encode all possible solutions. For example, the constraint α ∧ (x 1 = x 2 ) is handled by finding the sum of solutions for α ∧ (x 1 ≤ x 2 − 1) and α ∧ (x 1 ≥ x 2 + 1).

Extension to non-deterministic programs
Let us reconsider the program P 2 from Fig. 2, where the assignment in point 5 is now replaced with: j:=j+[0,1]. That is, the variable j is incremented by a uniformly distributed random integer between 0 and 1 at each iteration. We denote this non-deterministic program as P 3 (taken from [26]), given below: j:=j+[0,1]; } l final : assert (j ≤ 105); } A forward invariant analysis will find that at l final holds: 0 ≤ j ≤ 109, and so the assertion (j ≤ 105) can be both satisfied and violated. A backward necessary condition analysis for assertion satisfaction will infer the precondition 0 ≤ j ≤ 9 at l input , since for any value j ∈ [0, 9] there exists an program execution satisfying the assertion (e.g., consider the executions where the random integer from [0, 1] always evaluates to 0 in the body of while). However, a backward sufficient condition analysis for assertion satisfaction computes the set of input states such that all program executions branching from them satisfy the assertion. In this case, the sufficient condition analysis will infer the precondition 0 ≤ j ≤ 5 at l input , since even if the random integer from [0, 1] always evaluates to 1 in the body of while, the assertion will always hold. As a result of this, we can conclude that the success probability is greater or equal to: 6 10 = 60%.
We can see that necessary and sufficient preconditions are different in the presence of non-determinism [26]. Note that, if the non-determinism is increased in a program, then the set of sufficient preconditions will be reduced, while the set of necessary preconditions will be enlarged. For non-deterministic programs, E sat and E viol are subsets of input environments E that definitely lead to satisfaction and violation of the final assertion for all possible non-deterministic choices, respectively. We define the success probability P r s (P ) as the probability that a program terminates successfully with the target assertion being satisfied for all possible non-deterministic choices taken at each step. The failure probability P r f (P ) is the probability that a program hits a failure caused by the target assertion being violated for all possible non-deterministic choices taken at each step. We now show how to compute the success and failure probabilities for non-deterministic programs using sufficient conditions.
Remark. Note that in case of deterministic programs, E sat and E viol form a partition of the set of input environments E (E sat ∪ E viol = E), thus we have P r s (P ) + P r f (P ) = 1 for any deterministic program P . However, for nondeterministic programs this is not true anymore. That is, E sat ∪ E viol ⊆ E and P r s (P ) + P r f (P ) ≤ 1 for any non-deterministic program P . This means that there exist input environments for which it is possible the target assertion to be both satisfied and violated depending on non-deterministic choices made at each step of the given execution. For example, in the above program P 3 , for input environments that satisfy 6 ≤ j ≤ 9, the target assertion is satisfied (when [0, 1] in the body of while always evaluates to 0) and violated (when [0, 1] in the body of while always evaluates to 1), so those input environments are neither in E sat nor in E viol . We have, E sat = {ρ | 0 ≤ [[j]]ρ ≤ 5} and E viol = ∅, thus P r s (P 3 ) = 60% and P r f (P 3 ) = 0%.
Syntax. The extended non-deterministic programming language includes the same expression and statement productions as previously (see Section 3), but we add a support for non-deterministic expressions by using integer intervals [n, n ]: e ::= . . . | [n, n ] The integer interval [n, n ] denotes a uniformly distributed random integer from the interval [n, n ] (non-deterministic choice of an integer). Note that the interval assignment x:=[n, n ] can now be freely used everywhere in programs, not only in the input section as in deterministic programs.
Concrete semantics. We now consider the problem of backward sufficient condition inference. Given an invariant set F to obey, we want to infer the set of input states cond(F ) that guarantee that all program executions branching from them for all possible non-deterministic choices taken at each step stay in F : where pre(X) = {σ ∈ Σ | ∀σ ∈ Σ.σ −→ σ =⇒ σ ∈ X} is the set of states which represent predecessors only of states in X. Note that the function pre(X) differs from the function pre(X) used in Section 3, that is pre(X) = pre(X), if the transition system is non-deterministic (i.e. some states have several successors or none). Using pre(X) ensures that the invariant set F holds for all sequences of non-deterministic choices made at each execution step, while pre(X) ensures that the invariant set F holds for at least one sequence of non-deterministic choices. Note that pre(X) = pre(X) for deterministic programs, since |post({σ})| = 1 for every state σ ∈ Σ in this case.
Abstract semantics. In order to compute an under-approximating set of sufficient preconditions, we require an abstract domain D with the following backward abstract operators: meet under and a lower widening D [26]. The above abstract operators represent a sound under-approximation of the corresponding concrete operators. We let gfp #under denote an abstract pre-fixpoint operator, derived using lower widening D , that under-approximates the concrete gfp.
We design two backward sufficient condition abstract interpreters that propagate backwards the invariants ensuring that the final assertion is satisfied d sat assignment l 0 : x:=e; l 1 : . The backward sufficient condition interpreters are defined as: such that results of backward analyzers are: . By similar reasoning, we can also establish that: ). We calculate the success and failure probability of a program P as follows:

Implementation
We now describe the implementation and evaluation of the ideas presented so far. The evaluation aims to show the following objectives:

O1:
The probabilistic analysis can be used to analyze the behaviour of various interesting programs; O2: The probabilistic analysis gives exact results (with no precision loss) in many cases, especially for deterministic programs; O3: The performance time of probabilistic analysis is largely insensitive to domain sizes of input variables; O4: We can find practical application scenarios of using our probabilistic analysis to efficiently analyze C programs.

Implementation.
We have implemented a prototype probabilistic static analyzer that accepts programs written in a subset of C. It does not support struct and union types, and provides only a limited support of arrays and pointers. The only basic data types considered are integers. As output, the tool reports the upper and lower bounds of probabilities that the target assertion is satisfied or violated. The prototype tool is written in OCaml. As the abstract analysis domain D for encoding program properties, we use the polyhedra numeric abstract domain [10]. All abstract operators and sound transfer functions for the polyhedra domain are provided by the APRON library [21,26]. The tool performs one forward reachability analysis and two backward necessary/sufficient condition analyses (one for satisfaction and one for violation of the assertion). The tool calls a model counter, LattE [1], to determine the number of solutions to discovered preconditions for satisfaction or violation of the assertion. Note that if an input state satisfies the discovered precondition for satisfaction (resp., violation) of the assertion, then all program executions branching from that state will satisfy (resp., violate) the given assertion. The analysis proceeds by structural induction on the program syntax, iterating while-s until a fixed point is reached. They compute the unique solution which to every program point assigns an element from the abstract domain D.
Experimental setup and benchmarks. All experiments are executed on a 64bit Intel Core T M i5 CPU, Lubuntu VM, with 8 GB memory. The reported times represent the average runtime of five independent executions. We report Time an to perform all static analyses tasks (one forward plus two backward static analyses), Time pr to compute the needed probability bounds (call to LattE plus additional calculations), and Time to complete the overall probabilistic analysis task. The implementation, benchmarks, and all results obtained are available from: https://aleksdimovski.github.io/probab-analysis.html (or, https: //github.com/aleksdimovski/probab analyzer). For our experiment, we use a dozen of C programs taken from several folders (categories) of the 8th International Competition on Software Verification (SV-COMP 2019) 6 , as well as from the abstract interpretation community [26,30]. The folders from SV-COMP 2019 we consider are: loops, loop-lit, termination-crafted (which is denoted ter-crafted for short), as well as termination-restricted-15 (which is denoted ter-restricted for short). We have selected some numeric programs with integers that our tool can handle. We have manually added input sections, and in some of the programs we have also defined target assertions. Then, we have analyzed those programs using our prototype static analyzer. Table 1 summarizes relevant characteristics for each benchmark: the folder (source) where it is taken from, the number of lines of code (LOC), and the number of integer variables (#var). There are two classes of benchmarks in Table 1 separated by a double horizontal line. The first (upper) class of benchmarks consists of deterministic programs for which backward necessary condition analysis is performed, while the second (lower) class of benchmarks are non-deterministic programs for which backward sufficient condition analysis is performed.
Performances Table 1 shows the performance of our technique on a set of small and compelling examples (addresses Objective (O1)). We can note that for most of our deterministic benchmarks, the technique gives exact results without any approximation (which are marked with in the Exact column of Table 1). This means that the lower and upper bounds for success and failure probabilities coincide. This is due to the fact that we use the expressive and very precise polyhedra abstract domain (addresses Objective (O2)). For the remaining cases, the technique gives approximate results (which are marked with ≈ in the Exact column of Table 1), since the abstraction was too coarse to calculate exact results. We can also see that the time for static analysis Time an dominates in the overall probabilistic analysis time Time, whereas the probability computation time Time pr is a smaller fraction of the total time. The small probability computation times indicate that preconditions obtained from our analyses are relatively simple, and so LattE can handle them very efficiently. We have also experimented with different domain sizes n of input variables (for n = 10 and n = 1000). Thus, n denotes the number of possible values per input variable. We observe that we obtain similar time performance results for n = 10 and n = 1000, which means that the performance is not affected by the fact that inputs come from a bigger pool of possible values. This is mostly due to the fact that LattE and APRON are largely insensitive to those values in terms of time (addresses Objective (O3)). In general, the obtained probability bounds provide non-trivial information about the behaviour of these programs and are quite hard to estimate by hand even if the programs in question are small.
Application scenarios. Consider the following program (called Waldkirch.c from termination-crafted folder of SV-COMP 2019): x:=x-1; } l final : assert (x ≥ −1); We want to prove this assertion, since, for example, later on in the program there are references to an array using the index x+1 (e.g. a[x+1]:=0). In this way, we want to verify that there are no array-out-of-bounds references. The tool will find that the necessary precondition for assertion satisfaction is: −1 ≤ x ≤ 4, thus computing the success probability of 60%. The found necessary precondition for assertion violation is: −5 ≤ x ≤ −2, so the failure probability is 40% (addresses Objective (O4)).

Related work
Probabilistic analysis of imperative programs based on symbolic execution has been introduced before [18,17,3,29]. They calculate path probabilities by counting the number of solutions to a path condition, which represents a constraint on inputs. The analyses in [18,17] address programs with integer domains and linear constraints, whereas the analyses in [3] address programs with linear and complex floating-point computations. While the previous analyses are restricted to discrete, uniform random variables that take on a finite set of values, the probabilistic analysis in [29] can also handle non-uniform distributions over the reals and integers using a branch-and-bound technique over polyhedra. However, in presence of loops all above analyses based on symbolic execution lose precision, since they cannot enumerate all program paths. The solution is to consider bounded exploration of loops and only a finite number of feasible program paths. Thus, they also define a measure of confidence on the obtained probabilistic estimations in order to take into account the contribution from the unexplored feasible paths. For example, if we set the exploration bound of the loop of program P 2 in Fig. 2 to any number less than 100, both success and failure probabilities will be 0% and the confidence will be also 0. This is due to the fact that the while loop in Fig. 2 has to be unrolled at least 100 times in order to obtain a feasible path on which it can be decided whether the assertion at point l final is satisfied or violated. In this work, instead of symbolic execution we use abstract interpretation to analyze programs and infer preconditions for success and failure. Thus, our approach for computing program reliability represents one of the pioneering works that provides a complete and fast treatment of while loops. In particular, the strength of our approach is being an abstract interpretation of a complete semantics for computing program reliability. This is stronger than fixing a priori an incomplete reasoning approach that can miss some feasible program paths (executions). The work [13] performs a probabilistic analysis of open programs using symbolic game semantics [12] and model counting. It uses game semantics to model open programs with undefined identifiers (e.g. calls to library functions), such that the model takes into account all possible contexts in which those programs can be placed. In the presence of loops and undefined functions, bounded exploration in the model is also used to obtain a feasible analysis. Probabilistic model checking [2] is yet another approach to perform probabilistic analysis on a high-level design of software. However, such high-level models are difficult to maintain and may abstract important details that impact the chance of property satisfaction. So the goal is to do probabilistic analysis directly on source code as here, not on high-level models.
Backward precondition analyses by abstract interpretation have also been used in practice for a long time [4,9,26,28]. Sufficient preconditions have been first introduced by Bourdoncle [4] in his work on abstract debugging of deterministic programs. He uses a combination of forward-backward analyses to find preconditions for invariant and intermittent assertions to always hold. Cousot et. al. [9] propose a method for automatically inferring contract preconditions for intermittent assertions. The preconditions extracted by their method are necessary preconditions, i.e. they do not exclude unsafe executions. Mine [26] presents a method for automatically inferring sufficient preconditions of non-deterministic programs by using a polyhedral backward analysis. The under-approximating sound abstract operators for this backward analysis are implemented as part of the APRON library. Rival [28] uses forward-backward analysis to inspect more closely reported alarms by ASTREE, which are then classified as true errors (bugs) or false alarms. Urban and Mine [30] use forward-backward analysis for the automatic inference of sufficient preconditions for program termination. The elements of the analysis domain are decision trees, where decision nodes are labeled with linear numerical constraints and leaf nodes are affine ranking functions for proving program termination. Forward-backward analysis schemes have been used in [20] for the inference of safety properties of declarative synchronous programs. In this work, for the first time we employ forward-backward precondition analysis for estimating program reliability.
Static analysis of probabilistic programs by abstract interpretation has also been a topic of research [27,11]. Monniaux [27] proposes a probabilistic analysis that annotates abstract domains with upper bounds on the probability measure associated with abstract objects. However, the measure bound is associated with the entire abstract object, without tracking how it is distributed amongst the individual states present in the concretization. This restriction makes the analysis quite conservative. Cousot and Monerau [11] provide a general framework that encompasses a variety of probabilistic interpretation schemes. However, no concrete implementation of the above probabilistic abstract interpretations is provided yet. A backward abstract interpretation for probabilistic programs [23] uses expectations that are real-valued functions of the program state and quantitative loop invariants. The automatic inference of such quantitative loop invariants was proposed in the recent work of Katoen et al [22].

Conclusion
We have presented a new static, abstract interpretation-based approach for computing program reliability, which allows to calculate upper and lower bounds of probabilities that a given assertion is satisfied or violated. We construct a combination of forward-backward abstract analyses, in order to find an approximation of a set of input states which lead to definite satisfaction (resp., violation) of the given assertion. Our approach to calculating program reliability is semanticsbased and approximate in a provably sound way. Still, it often yields very precise results, especially for deterministic programs.
We currently support only uniform distribution of input values within their finite discrete domains. In future, we plan to model imprecision in the input by different non-uniform distributions, such as Binomial, Poisson, etc [29]. The current implementation of LattE is limited in handling non-uniform distributions, so we will explore the use of statistical sampling techniques in those cases. Our focus here is on estimating probability for safety properties. We also plan to consider liveness properties (such as termination) and expectation queries [30]. An interesting direction for future work would also be to consider general probabilistic programs [19], as well as program families implemented with #ifdef-s from the C-preprocessor where we can use lifted static analyses to efficiently analyze all variants of the family simultaneously at once [14,24,15,16].
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.