spring 2014 program analysis and verification lecture 13: abstract interpretation v
DESCRIPTION
Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V. Roman Manevich Ben-Gurion University. Syllabus. Previously. Composing abstract domains (and GCs) Reduced product Implementing composition of analyses. Today. Widening and narrowing. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/1.jpg)
Spring 2014Program Analysis and Verification
Lecture 13: Abstract Interpretation V
Roman ManevichBen-Gurion University
![Page 2: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/2.jpg)
2
Syllabus
Semantics
NaturalSemantics
Structural semantics
AxiomaticVerification
StaticAnalysis
AutomatingHoare Logic
Control Flow Graphs
Equation Systems
CollectingSemantics
AbstractInterpretation fundamentals
Lattices
Fixed-Points
Chaotic Iteration
Galois Connections
Domain constructors
Widening/Narrowing
AnalysisTechniques
Numerical Domains
CEGAR
Alias analysis
ShapeAnalysis
InterproceduralAnalysis
Crafting your own
Soot
From proofs to abstractions
Systematically developing
transformers
![Page 3: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/3.jpg)
3
Previously
• Composing abstract domains (and GCs)• Reduced product• Implementing composition of analyses
![Page 4: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/4.jpg)
4
Today
• Widening and narrowing
![Page 5: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/5.jpg)
5
A Motivating example
![Page 6: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/6.jpg)
6
How can we prove this automatically?
RelProd(CP, VE)
![Page 7: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/7.jpg)
7
The interval domain
![Page 8: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/8.jpg)
8
Interval domain
• One of the simplest numerical domains• Maintain for each variable x an interval [L,H]– L is either an integer of -– H is either an integer of +
• A (non-relational) numeric domain
![Page 9: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/9.jpg)
9
Intervals lattice for variable x
[0,0][-1,-1][-2,-2] [1,1] [2,2] ......
[-,+]
[0,1] [1,2] [2,3][-1,0][-2,-1]
[-10,10]
[1,+][-,0]
... ...
[2,+][0,+][-,-1][-,-1]... ...
[-20,10]
![Page 10: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/10.jpg)
10
Intervals lattice for variable x
• Dint[x] = { (L,H) | L-,Z and HZ,+ and LH}• • =[-,+]• = ?– [1,2] [3,4] ?– [1,4] [1,3] ?– [1,3] [1,4] ?– [1,3] [-,+] ?
• What is the lattice height?
![Page 11: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/11.jpg)
11
Intervals lattice for variable x
• Dint[x] = { (L,H) | L-,Z and HZ,+ and LH}• • =[-,+]• = ?– [1,2] [3,4] no– [1,4] [1,3] no– [1,3] [1,4] yes– [1,3] [-,+] yes
• What is the lattice height? Infinite
![Page 12: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/12.jpg)
12
Joining/meeting intervals
• [a,b] [c,d] = ?– [1,1] [2,2] = ?– [1,1] [2, +] = ?
• [a,b] [c,d] = ?– [1,2] [3,4] = ?– [1,4] [3,4] = ?– [1,1] [1,+] = ?
• Check that indeed xy if and only if xy=y
![Page 13: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/13.jpg)
13
Joining/meeting intervals
• [a,b] [c,d] = [min(a,c), max(b,d)]– [1,1] [2,2] = [1,2]– [1,1] [2,+] = [1,+]
• [a,b] [c,d] = [max(a,c), min(b,d)] if a proper interval and otherwise – [1,2] [3,4] = – [1,4] [3,4] = [3,4]– [1,1] [1,+] = [1,1]
• Check that indeed xy if and only if xy=y
![Page 14: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/14.jpg)
14
Interval domain for programs
• Dint[x] = { (L,H) | L-,Z and HZ,+ and LH}• For a program with variables Var={x1,…,xk}• Dint[Var] = ?
![Page 15: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/15.jpg)
15
Interval domain for programs• Dint[x] = { (L,H) | L-,Z and HZ,+ and LH}• For a program with variables Var={x1,…,xk}• Dint[Var] = Dint[x1] … Dint[xk]• How can we represent it in terms of formulas?– Two types of factoids xc and xc– Example: S = {x9, y5, y10}– Helper operations
• c + + = +• remove(S, x) = S without any x-constraints• lb(S, x) =
![Page 16: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/16.jpg)
16
Interval domain for programs• Dint[x] = { (L,H) | L-,Z and HZ,+ and LH}• For a program with variables Var={x1,…,xk}
• Dint[Var] = Dint[x1] … Dint[xk]• How can we represent it in terms of formulas?– Two types of factoids xc and xc– Example: S = {x9, y5, y10}– Helper operations
• c + + = +• remove(S, x) = S without any x-constraints• lb(S, x) = • ub(S, x) =
![Page 17: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/17.jpg)
17
interval domain transformers
![Page 18: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/18.jpg)
18
Assignment transformers• x := c# S = ?• x := y# S = ?• x := y+c# S = ?• x := y+z# S = ?• x := y*c# S = ?• x := y*z# S = ?
![Page 19: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/19.jpg)
19
Assignment transformers• x := c# S = remove(S,x) {xc, xc}• x := y# S = remove(S,x) {xlb(S,y), xub(S,y)}• x := y+c# S = remove(S,x) {xlb(S,y)+c, xub(S,y)+c}• x := y+z# S = remove(S,x) {xlb(S,y)+lb(S,z),
xub(S,y)+ub(S,z)}• x := y*c# S = remove(S,x) if c>0 {xlb(S,y)*c, xub(S,y)*c}
else {xub(S,y)*-c, xlb(S,y)*-c}
• x := y*z# S = remove(S,x) ?
![Page 20: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/20.jpg)
20
assume transformers• assume x=c# S = ?• assume x<c# S = ?• assume x=y# S = ?• assume xc# S = ?
![Page 21: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/21.jpg)
21
assume transformers• assume x=c# S = S {xc, xc}• assume x<c# S = S {xc-1}• assume x=y# S = S {xlb(S,y), xub(S,y)}• assume xc# S = ?
![Page 22: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/22.jpg)
22
assume transformers• assume x=c# S = S {xc, xc}• assume x<c# S = S {xc-1}• assume x=y# S = S {xlb(S,y), xub(S,y)}• assume xc# S = (S {xc-1}) (S {xc+1})
![Page 23: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/23.jpg)
23
Analysis with interval domain
![Page 24: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/24.jpg)
24
Concrete semantics equations
• R[0] = {xZ} R[1] = x:=7R[2] = R[1] R[4]R[3] = R[2] {s | s(x) < 1000}R[4] = x:=x+1 R[3]R[5] = R[2] {s | s(x) 1000} R[6] = R[5] {s | s(x) 1001}
R[0]R[2]R[3] R[4]
R[1]
R[5]R[6]
![Page 25: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/25.jpg)
25
Abstract semantics equations
• R[0] = ({xZ}) R[1] = x:=7#
R[2] = R[1] R[4]R[3] = R[2] ({s | s(x) < 1000})R[4] = x:=x+1# R[3]R[5] = R[2] ({s | s(x) 1000})R[6] = R[5] ({s | s(x) 1001}) R[5] ({s | s(x) 999})
R[0]R[2]R[3] R[4]
R[1]
R[5]R[6]
![Page 26: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/26.jpg)
26
Abstract semantics equations
• R[0] = R[1] = [7,7] R[2] = R[1] R[4]R[3] = R[2] [-,999]R[4] = R[3] + [1,1]R[5] = R[2] [1000,+] R[6] = R[5] [999,+] R[5] [1001,+]
R[0]R[2]R[3] R[4]
R[1]
R[5]R[6]
![Page 27: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/27.jpg)
27
Too many iterations to converge
![Page 28: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/28.jpg)
28
How many iterations for this one?
• Problem: need infinite height domain• Basic fixed-point analysis does not terminate
when ACC does not hold• Solution: come up with new fixed-point
finding algorithm
![Page 29: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/29.jpg)
29
Revisiting the basic static analysis fixed-point algorithm
![Page 30: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/30.jpg)
30
Effect of function f on lattice elements
• L = (D, , , , , )• f : D D monotone• Fix(f) = { d | f(d) = d }• Red(f) = { d | f(d) d }• Ext(f) = { d | d f(d) }• Theorem [Tarski 1955]– lfp(f) = Fix(f) = Red(f) Fix(f)– gfp(f) = Fix(f) = Ext(f) Fix(f)
Red(f)
Ext(f)
Fix(f)
lfp
gfp
fn()
fn()
![Page 31: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/31.jpg)
31
Effect of function f on lattice elements
• L = (D, , , , , )• f : D D monotone• Fix(f) = { d | f(d) = d }• Red(f) = { d | f(d) d }• Ext(f) = { d | d f(d) }• Theorem [Tarski 1955]– lfp(f) = Fix(f) = Red(f) Fix(f)– gfp(f) = Fix(f) = Ext(f) Fix(f)
Red(f)
Ext(f)
Fix(f)
lfp
gfp
fn()
fn()
![Page 32: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/32.jpg)
32
Continuity and ACC condition
• Let L = (D, , , ) be a complete partial order– Every ascending chain has an upper bound
• A function f is continuous if for every increasing chain Y D*,
f(Y) = { f(y) | yY }• L satisfies the ascending chain condition (ACC)
if every ascending chain eventually stabilizes:d0 d1 … dn = dn+1 = …
![Page 33: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/33.jpg)
33
Fixed-point theorem [Kleene]
• Let L = (D, , , ) be a complete partial order and a continuous function f: D D then
lfp(f) = nN fn()
• When ACC holds and f is monotone then f is continuous
![Page 34: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/34.jpg)
34
Resulting algorithm
• Kleene’s fixed point theorem gives a constructive method for computing the lfp
lfpfn()
f()f2()
…d := while f(d) d do d := f(d)return d
Algorithm
lfp(f) = nN fn()Mathematical definition
![Page 35: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/35.jpg)
35
Chaotic iteration• Input:
– A cpo L = (D, , , ) satisfying ACC– Ln = L L … L– A monotone function f : Dn Dn – A system of equations { X[i] | f(X) | 1 i n }
• Output: lfp(f)• A worklist-based algorithm
for i:=1 to n do X[i] := WL = {1,…,n}while WL do j := pop WL // choose index non-deterministically N := F[i](X) if N X[i] then X[i] := N add all the indexes that directly depend on i to WL (X[j] depends on X[i] if F[j] contains X[i])return X
![Page 36: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/36.jpg)
36
Widening and narrowing
![Page 37: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/37.jpg)
37
Widening
• Introduce a new binary operator to ensure termination– A kind of extrapolation
• Enables static analysis to use infinite height lattices– Dynamically adapts to given program
• Tricky to design• Precision less predictable then with finite-
height domains (widening non-monotone)
![Page 38: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/38.jpg)
38
Formal definition• For all elements d1 d2 d1 d2 • For all ascending chains d0 d1 d2 …
the following sequence is finite– y0 = d0 – yi+1 = yi di+1
• For a monotone function f : D D define– x0 = – xi+1 = xi f(xi )
• Theorem:– There exits k such that xk+1 = xk
– xkRed(f) = { d | dD and f(d) d }
![Page 39: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/39.jpg)
39
Analysis with finite-height lattice
A
f#n = lpf(f#) …
f#2 f#3
f#
Red(f)
Fix(f)
![Page 40: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/40.jpg)
40
Analysis with widening
A
f#2 f#3
f#2 f#3
f#
Red(f)
Fix(f) lpf(f#)
A post-fixed point
![Page 41: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/41.jpg)
41
A Widening for the interval domain
![Page 42: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/42.jpg)
42
Widening for Intervals Analysis• [c, d] = [c, d]• [a, b] [c, d] = [
if a cthen aelse -,
if b dthen belse
![Page 43: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/43.jpg)
43
Semantic equations with widening
• R[0] = R[1] = [7,7] R[2] = R[1] R[4]R[2.1] = R[2.1] R[2]R[3] = R[2.1] [-,999]R[4] = R[3] + [1,1]R[5] = R[2] [1001,+] R[6] = R[5] [999,+] R[5] [1001,+]
R[0]R[2]R[3] R[4]
R[1]
R[5]R[6]
![Page 44: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/44.jpg)
44
Choosing analysis with widening
Enable widening
![Page 45: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/45.jpg)
Non monotonicity of widening
• [0,1] [0,2] = ?• [0,2] [0,2] = ?
![Page 46: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/46.jpg)
Non monotonicity of widening
• [0,1] [0,2] = [0, ]• [0,2] [0,2] = [0,2]
• What is the impact of non-monotonicity?
![Page 47: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/47.jpg)
47
Analysis results with widening
Did we prove it?
![Page 48: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/48.jpg)
48
narrowing
![Page 49: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/49.jpg)
49
Analysis with narrowing
A
f#2 f#3
f#2 f#3
f#
Red(f)
Fix(f) lpf(f#)
![Page 50: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/50.jpg)
Formal definition of narrowing• Improves the result of widening• y x y (x y) x• For all decreasing chains x0 x1 …
the following sequence is finite– y0 = x0
– yi+1 = yi xi+1
• For a monotone function f: D Dand xkRed(f) = { d | dD and f(d) d }define– y0 = x– yi+1 = yi f(yi )
• Theorem:– There exits k such that yk+1 =yk
– ykRed(f) = { d | dD and f(d) d }
![Page 51: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/51.jpg)
51
A narrowing for the interval domain
![Page 52: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/52.jpg)
Narrowing for Interval Analysis • [a, b] = [a, b]• [a, b] [c, d] = [
if a = - then celse a,
if b = then delse b
]
![Page 53: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/53.jpg)
53
Semantic equations with narrowing
• R[0] = R[1] = [7,7] R[2] = R[1] R[4]R[2.1] = R[2.1] R[2]R[3] = R[2.1] [-,999]R[4] = R[3]+[1,1]R[5] = R[2]# [1000,+] R[6] = R[5] [999,+] R[5] [1001,+]
R[0]R[2]R[3] R[4]
R[1]
R[5]R[6]
![Page 54: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/54.jpg)
54
Combining wideningand narrowing
![Page 55: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/55.jpg)
55
Analysis with widening/narrowing• Two phases– Phase 1: analyze with
widening until converging
– Phase 2: use values to analyze with narrowing
Phase 2:R[0] = R[1] = [7,7] R[2] = R[1] R[4]R[2.1] = R[2.1] R[2]R[3] = R[2.1] [-,999]R[4] = R[3]+[1,1]R[5] = R[2]# [1000,+] R[6] = R[5] [999,+] R[5] [1001,+]
Phase 1:R[0] = R[1] = [7,7] R[2] = R[1] R[4]R[2.1] = R[2.1] R[2]R[3] = R[2.1] [-,999]R[4] = R[3] + [1,1]R[5] = R[2] [1001,+] R[6] = R[5] [999,+] R[5] [1001,+]
![Page 56: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/56.jpg)
56
Analysis with widening/narrowing
![Page 57: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/57.jpg)
57
Analysis results widening/narrowing
Precise invariant
![Page 58: Spring 2014 Program Analysis and Verification Lecture 13: Abstract Interpretation V](https://reader035.vdocuments.site/reader035/viewer/2022062411/5681671c550346895ddb94fd/html5/thumbnails/58.jpg)
Next lecture:numerical abstractions