Automating Abstract Interpretation
Mooly Sagiv
Adapted from Thomas Reps
VMCAI’2016 Invited Talk
Static Analysis in a Nutshell
• Determine information about the possible situations that
can arise at execution time, without actually running the
program on specific inputs
• Typically:
– For each point in the program, find a descriptor that represents
(a superset of) the stores that could possibly arise at that point
• Correctness of an analysis justified via abstract
interpretation [Cousot & Cousot 77]
Automating Abstraction Interpretation
• Abstract interpretation
– A “black art” → hard to work with
• 20-year quest to raise the level of automation in
abstract interpretation
– 3-valued logic analysis (TVLA)
• M. Sagiv, T. Reps, R. Wilhelm, T. Lev-Ami, A. Loginov, R. Manevichs
– machine-code analysis (TSL)
• T. Reps, J. Lim
– symbolic-abstraction algorithms
• T. Reps, M. Sagiv, G. Yorsh, A. Thakur
Reps, T. and Thakur, A., “Automating abstract
interpretation,” VMCAI, 2016.
research.cs.wisc.edu/wpis/papers/vmcai16-invited.pdf
Patrick
Cousot
Radhia
Cousot
What Does It Mean to Automate Parsing?
• A parsing-problem instance Parse(L,s) has two inputs
– L = a context-free language
– s = a string to be parsed
The string changes more frequently than the language
• A context-free language has a context-free grammar
• Yacc (and later, Gnu Bison)
– Input: a context-free grammar that describes the language L to
be parsed
– Output: a parsing function, yyparse(), for which
executing yyparse() on string s computes Parse(L,s)
Steve
Johnson
source: simple-talk interview
What Does It Mean to Automate Program Analysis?
• Follow a similar scheme . . .
• But first, why would you even want to invest the time
doing so?
Why is Program Analysis Difficult?
• Undecidable problems
– Just before statement S of program P, does property φ hold?
– Dodge this issue by using one-sided algorithms
Sidestepping Undecidability
Reachable States
Universe of States
Bad States
Sidestepping Undecidability
Overapproximate the reachable states
Reachable States
Bad States
False positive!
Universe of States
Why is Program Analysis Difficult?
• Undecidable problems
– Just before statement S of program P, does property φ hold?
– Dodge this issue by using one-sided algorithms
• “Infinities”
– Infinite, or very large, state spaces
– Infinite, or very large, answer sets
Why is Program Analysis Difficult?

• Large/unbounded base types: int, float, string
• User-defined types/classes
• Pointers/aliasing + unbounded #’s of heap-allocated cells
• Procedure calls/recursion/calls through pointers/dynamic
method lookup/overloading
• Concurrency + unbounded #’s of threads
Sources of Infinity

• Data
– unbounded counters, integer variables, lists, queues
• Control structures
– procedures, process creation
• Configuration parameters
– unbounded number of processes, principals
• Real-time
– discrete or continuous time
Some Successes of the Field
• Static Driver Verifier, a.k.a. SLAM (Microsoft)
– Tool for finding possible bugs in Windows device drivers
– Complicated back-out protocols in driver APIs when events
cancelled or interrupted
• Astrée (ENS)
– Established the absence of run-time errors in Airbus flight
software
Example: Parity Analysis
f (a,b) = (16 * b + 3) * (2 * a + 1)
*
+
*
16
+
3
b
*
2
1
a
+
0
1
2
3
...
*
0
1
2
3
...
0
0
1
2
3
...
0
0
0
0
0
...
1
1
2
3
4
...
1
0
1
2
3
...
2
2
3
4
5
...
2
0
2
4
6
...
3
3
4
5
6
...
3
0
3
6
9
...
⋮
⋮
⋮
⋮
⋮
⋱
⋮
⋮
⋮
⋮
⋮
⋱
Example: Parity Analysis
𝑓 # (a,b) = (16 ∗# b +# 3) ∗# (2 ∗# a +# 1)
O
O
E
+#
∗#
E
?
16
+#
?
O
E
? O E
? ? ?
? E O
? O E
b
∗#
O
#
+
O E
O
3 ∗#
1
E
?
2
a
𝑓 #: _  _  O
∗#
?
O
E
? O E
? ? E
? O E
E E E
Abstract values, such as O, E, and ?, represent potentially
infinite collections of concrete values
O: {…, -3, -1, 1, 3, …}
E: {…, -2, 0, 2, …}
{…, -3, -1, 1, 3, …} + {…, -2, 0, 2, …} = {…, -3, -1, 1, 3, …}
O
+#
E
=
O
+#
?
O
E
? O E
? ? ?
? E O
? O E
∗#
?
O
E
? O E
? ? E
? O E
E E E
Constant Propagation
[i  ?, j  ?]
i=0
e.e[i  0]
[i  0, j  ?]
j=0
e.e[j  0]
e.e
[i  0, j  0] [i  1, j  0]
while i  2
e.e
[i  0, j  0]
j = (j+1)/4
e.e[j  (e(j)+1)/4] [i  0, j  0]
i = i+1
printf(i,j)
e.e[i  e(i) + 1]
[i  0, j  0]
Constant Propagation
[i  ?, j  ?]
i=0
e.e[i  0]
[i  0, j  ?]
j=0
e.e[j  0]
e.e
[i  ?, j  0] [i  ?, j  0]
while (…)
e.e
[i
[i 
 0,
?, j  0]
j = (j+1)/4
e.e[j  (e(j)+1)/4]
i  {…,-2,-1,0,1,2, …}
[i  0,
?, jj
0]{0}
i = i+1
printf(i,j)
e.e[i  e(i) + 1]
[i  0,
?, j  0]
What Does It Mean to Automate
Abstract Interpretation?
• An abstract interpreter Interp#(Ms,A,𝑎# ) has three inputs
– Ms = the meaning function for a programming-language statement s
– A = an abstract domain
– 𝑎# = an abstract-domain value (represents a set of pre-states)
𝑎# changes more frequently than Ms and A
• Goal
– Inputs:
(i) a specification of the semantics of a programming language’s
statements
(ii) a specification of abstract domain A
– Output: a function Is,A(•) such that Is,A(𝑎# ) computes Interp#(Ms,A,𝑎# )
• What formalism should we use to specify Ms?
• What formalism should we use to specify A?
Abstract Interpretation [CC77]
{(x2, y1),
(x5, y3)}
{(2,1), (2,2), (2,3),
(3,1), (3,2), (3,3),
(4,1), (4,2), (4,3),
(5,1), (5,2), (5,3)}
γ
x  [2,5]
y  [1,3]
α
α
Universe of States
Patrick
Cousot
Radhia
Cousot
Best Transformer [CC79]
However, no algorithms to
• apply the best transformer 
• create the best transformer 
Best
over-approximation
of τ(γ(𝑎# )) in A
ττ τ
τ τ
ττ
Loss of precision
γ
α
γ
safe τ#
τ#
𝑎#
Universe of States
Patrick
Cousot
Radhia
Cousot
Why do we need algorithms for best
transformers?
• Enables parametric semantics
– X86
– Libraries
• Domain constructors
– Reduced products
• Basic blocks and Loop free code
– Simpler abstract domains
Challenge: Abstract Interpretation
is
[-5,5]
+
Inherently Non-Compositional
[5,10]
[-10,-5]
−
x rely on compositionality
• In computer science, we
–
–
–
–
languages are expressed using context-free grammars
[5,10]using
many concepts and properties defined
x inductive definitions
recursive tree traversals are a basic workhorse
software organized into layers
• Example: (x + (–x)), evaluated in (x ↦ [5,10], y ↦ [10,20])
– [-5, 5] versus [0,0]
– Suppose that you have in hand a collection of ``best” abstractinterpretation operators
– Their composition may not provide the best (abstract) answer for
the composition of the corresponding concrete operations
Predicate Abstraction
• Verify the safety of a program over infinite data using
fixed set of predicates (Booleans) P1, P2, …, Pn
• The meaning of each predicate is a function from the
states into Booleans
–
Pi : {0, 1}
• The program can be conservatively represented by a
Boolean program
• If safety property holds in the Boolean program then
it also holds in original program
A Simple Example
X := 0 ;
while true do {
X := X + 1;
assert X > 0
}
P1 = X 0
P2= X 0
<P1 := 1, P2 := 0>
while true do {
<P1 := if P1P2 then 1 else *, P2 := if P1 then 1 else *>
assert P1 P2
}
A Simple Example (Transition System)
X:=0
X=0
X=1
X:=X+1
X=3
X:=X+1
X=4
X:=X+1
X=…
X:=X+1
Concrete
P1 = X 0
P2= X 0
#
<P1=1, P2:=0>
Abstract
X:=0
#
X:=X+1
<P1=1, P2:=1>
X:=X+1
#
Predicate Abstraction: Basics
Error
Initial
Program State Space
Abstraction
• Abstraction: Predicates on program state
– Signs:
– Aliasing:
x>0
&x  &y
• States satisfying the same predicates are equivalent
– Merged into single abstract state
(Predicate) Abstraction: A crash course
Error
Initial
Program State Space
Abstraction
Q1: Which predicates are required to verify a property ?
Q2: How to compute abstract transformers?
The Predicate Abstraction Domain
• Fixed set of predicates Pred
• The meaning of each predicate pi  Pred is a closed
first order formula fi
• The relational domain is
<P(P(Pred)), , P(Pred), , >
– Join is set union
A Simple Example
Predicates: p1 = x > 0 p2 = y  0
int x, y;
x = 1;
y=2;
while (*) do {
x=x+y;
}
assert x > 0;
bool p1, p2;
p1 = true ;
p2 = true ;
while (*) do {
p1 = (p1&&p2 ? 1 : *)
}
assert p1 ;
Existential Abstraction
• Given a transition system M=(S, S0, T) and an
abstraction : S S#
• An abstract a transition system M=(S#, S0#, T#) is an
existential abstraction of M w.r.t.  if
– s0  S0. (s0) = s0#  s0  S0#
– (s, s’)  T. (s) = s#  . (s’) = s’#  (s#, s’#)  T#
Minimal Existential Abstraction
• Given a transition system M=(S, S0, T) and an
abstraction : S S#
• An abstract a transition system M=(S#, S0#, T#) is a
minimal existential abstraction of M w.r.t.  if
– s0  S0. (s0) = s0#  s0  S0#
– (s, s’)  T. (s) = s#  . (s’) = s’#  (s#, s’#)  T#
• But how does one compute minimal abstraction?
– Employ a SAT solver
The SAT Problem
• Given a propositional formula (Boolean function)
–  = (a  b) ( a b  c)
• Determine if  is valid
• Determine if  is satisfiable
– Find a satisfying assignment or report that such does
not exit
• For n variables, there are 2n possible truth assignments to
be checked
0
1
• But many practical tools exist
a
b b
c c c c
0
0
1
1
0
1
0
1
0
1
0
1
SAT made some progress…
100000
10000
Vars
1000
100
10
1
1960
1970
1980
1990
Year
2000
2010
The SMT Problem (Sat Modulu Theory)
• Given a quantifier free first order formula over some theory
equation
–  = 3x + y = z  f(y) = z
• Determine if  is valid
• Determine if  is satisfiable
– Find a satisfying assignment or report that such does not
exit
• Tools exist
– Z3 (Microsoft)
– CVC
Representing States as Formulas
[F ]
F
states satisfying F {s | s  F }
FO formula over prog. vars
[F 1 ]  [F 2 ]
F1  F2
[F 1 ]  [F 2 ]
F1  F2
[F ]
F
[F 1 ]  [F 2 ]
F1 implies F2
i.e. F1   F2 unsatisfiable
A Simple Example (Again)
X := 0 ;
while true do {
X := X + 1;
assert X > 0
}
P1 = X 0
P2= X 0
How can the SMT solver be used to compute the effect of X := X + 1 on P1
and P2?
Symbolic Operations: Three Value-Spaces

T
Concrete
Values
T
Formulas

Abstract
Values
Symbolic Operations: Three Value-Spaces

T
Concrete
Values
Formulas
T#

Abstract
Values
Symbolic Operations: Three Value-Spaces
2, 4, 16, …

even(x)

x=E

Concrete
Values
Formulas
Abstract
Values
Symbolic Operations: Three Value-Spaces
x
x
...


x

u1
u

Concrete
Values
Formulas
Abstract
Values
Required Primitive Operations
Abstraction
(S) =
( x
storeS (store)
)={
x
u1
u
}
Symbolic concretization
(
)=
x
u1
u
v1,v2 : nodeu1(v1)  nodeu (v2)  v1 ≠ v2
 v : nodeu1(v)  nodeu (v)
 ...
Theorem prover returning a satisfying structure (store)
S
Constant-Propagation Domain
T
(Var  ZT), where ZT =
. . . -2 -1 0 1 2 . . .
Examples: ,
[x0, y43, z0],
[xT, yT, z0],
[xT, yT, z T]
Infinite cardinality, but finite height
Three Value-Spaces
[x0, y1, z0]
[x0, yT, z0]
(x = 0)  (z = 0)
[x0, y0, z0]



[x0, y2, z0]
Concrete
Values
Formulas
Abstract
Values
Three Value-Spaces
[x0, y1, z0]
(x = 0)  (z = 0)
[x0, y0, z0]
[x0, y2, z0]


[x0, y2, z0]
Concrete
Values
Formulas
Abstract
Values
Required Primitive Operations
Abstraction

(S) =
storeS (store)
([x  0, y  2, z  0]) = [x0, y2, z0]
Symbolic concretization
([x0, yT, z0]) = (x = 0)  (z = 0)
Theorem prover returning a satisfying structure (store)
S
[x  0, y  2, z  0]  (x = 0)  (z = 0)
Required Primitive Operations
Abstraction

(S) =
storeS (store)
([x  0, y  2, z  0]) = [x0, y2, z0]
Symbolic concretization
([x0, yT, z0]) = (x = 0)  (z = 0)
Theorem prover returning a satisfying structure (store)
S
[x  0, y  2, z  0]  (z = 0)  (x = y*z)
Constant Propagation
[x3, y4, z1]
T[x = y * z]
x=y*z
λe.e[x e(y)*e(z)]
[x’4, y’4, z’1]
T[x := y*z] =df (x’ = y * z)  (y’ = y)  (z’ = z)
[x3, y4, z1,
x’4, y’4, z’1]  (x’ = y * z)  (y’ = y)  (z’ = z)
Constant Propagation
[x3, yT, z1]
T#[x = y * z]
[x’T, y’T, z’1]
x=y*z
λe.e[x e(y) # e(z)]
Constant Propagation

Start
λe.
 x=3
λe.e[x3]

λe.e

if .
..
λe.e
z=2
λe.e[z2]

y=x
y = z+1

λe.e[ye(x)]
λe.e[ye(z)+#1]
printf(y)

Constant Propagation

Start
λe.
[ xT, yT, zT ]
x=3
λe.e[x3]
[ x3, yT, zT ]
λe.e
[ x3, yT, zT
]
..
λe.e
z=2
λe.e[z2]
[ x3, yT, z2]
if .
y=x
y = z+1
λe.e[ye(z)+#1]
[ x3, y3, z2 ]
[ x3, yT, zT ]

λe.e[ye(x)]
printf(y) [ x3, y3, zT ]
[ x3, y3,
 zT ]
Abstract Transformer
{[x3, y3, z0],
[x7, y2, z0]}
T[x := y*z]
{[x0, y3, z0],
[x0, y2, z0]}

[xT, yT, z0]

[xT, yT, z0]
T#[x := y*z] z0]
 [x0, yT,
Best Abstract Transformer
{[x0, y0, z0],
[x1, y0, z0],
...
[x0, y1, z0],
[x1, y1, z0],
. . .}

[xT, yT, z0]
T[x := y*z]
{[x0, y0, z0],
[x0, y1, z0],
. . .}

[x0, yT, z0]
Three Value-Spaces
α
(x’ = 0)
 (z’ = 0)
[x’0,y’T,z’0]
αT
[xT,yT,z0]
T[x := y*z]
(z = 0)
Concrete
Values
Formulas

Abstract
Values
Remainder of the Lecture
• () – best abstract value that represents 
• Best = T   – best abstract transformer
Idea Behind Procedure CP()

ans


Concrete
Values
Formulas
Abstract
Values
Idea Behind Procedure CP()

S

(S)
S
ans

Concrete
Values
Formulas
Abstract
Values
Idea Behind Procedure CP()

  (ans)
S


(ans)
S
ans

(ans)
Concrete
Values
(S)
Formulas
Abstract
Values
Idea Behind Procedure CP()
1  (ans)
1
S  1
1

(ans)
S
ans

(ans)
Concrete
Values
(S)
Formulas
Abstract
Values
Idea Behind Procedure CP()
S  2
2
(S)
S
2
ans

Concrete
Values
Formulas
2 = 1  (ans)
Abstract
Values
Idea Behind Procedure CP()
2  (ans)
S  2
S
2
(ans)

(S)
2
ans

(ans)
Concrete
Values
Formulas
Abstract
Values
Idea Behind Procedure CP()

 (ans), (ans)
(ans)

Concrete
Values
5 = false
Formulas
ans
Abstract
Values
Procedure 
 (formula ) {
ans := 
 := 
while ( is satisfiable) {
Select a store S such that S  
ans := ans  (S)
 :=   (ans)
}
return ans
}
Example: CP((y = 3)  (x = 4*y + 1))
Initialization:
ans := 
 := (y = 3)  (x = 4*y + 1)
Iteration 1: S := [x  13, y  3]
// A satisfying store
ans :=    ([x  13, y  3])
= [x13, y3]
(ans) = (x = 13)  (y = 3)
 := (y = 3)  (x = 4*y + 1)  ((x = 13)(y = 3))
= (y = 3)  (x = 4*y + 1)  ((x  13)  (y  3))
= false
Iteration 2:
 is unsatisfiable
Return value: [x13, y3]
Procedure CP()
(z = 0)
 (x = y * z)
[x0,
y43,
z0]

S
ans

[x0,y43,z0]
Concrete
Values
Formulas
Abstract
Values
Procedure CP()
(z = 0)
 (x = y * z)
  (ans)

S

(x = 0)
 (y = 43)
 (z = 0)
(ans)[x0,y43,z0]
Concrete
Values
[x0,
y43,
z0]
Formulas
ans

Abstract
Values
Example: CP((z = 0)  (x = y * z))
Initialization:
ans := 
 := (z = 0)  (x = y * z)
Iteration 1: S := [x  0, y  43, z  0] // A satisfying store
ans :=    ([x  0, y  43, z  0])
= [x0, y43, z0]
(ans) = (x = 0)  (y = 43)  (z = 0)
 := (z = 0)  (x = y*z)  ((x=0)  (y=43)  (z=0))
= (z = 0)  (x = y*z)  (y  43)
Procedure CP()
(z = 0)
 (x = y * z)
 (y  43)

[x0,
y24,
z0]
S

[x0,
y43,
z0]
[x0,y24,z0]
Concrete
Values
Formulas
Abstract
Values
Example: CP((z = 0)  (x = y * z))
. . .
 = (z = 0)  (x = y * z)  (y  43)
Iteration 2:
S := [x0,y46,z0] // A satisfying store
ans := [x0,y43,z0]  
([x0,y46,z0])
= [x0, y43, z0]  [x0,y46,z0]
= [x0, yT, z0]
(ans) = (x = 0)  (z = 0)
 := (z=0)  (x=y*z)  (y43)  ((x=0)  (z=0))
= false
Iteration 3:
 is unsatisfiable
Procedure CP()
(z = 0)
 (x = y * z)
 (y  43)
[x0, yT, z0]


S
(x = 0)
 (z = 0)
ans

(x = 0)  (z = 0)
Concrete
Values
Formulas
Abstract
Values
Example: CP(y = x + (-x))
 = y = x + (-x)
Iteration 1:
S := [x43,y0] // A satisfying store
ans :=
 ([x43,y0])
= [x43 y0]
(ans) = (x = 43)  (y = 0)
 := (y = x + (-x))  (x43 y0)
Procedure 𝛼CP()
𝑦 = 𝑥 + (−𝑥)

[x43
y0]
𝑎#
S

[x43,y0]
Concrete
Values
Formulas
Abstract
Values
Example: CP(y = x + (-x)) (Cont)
 := (y = x + (-x))  (x43 y0)
Iteration 2:
S = [x43,y0]
ans := [x43, y0]  ([x46,y0])
= [xT, y0]
(ans) = (y = 0)
 := (y = x + (-x))  (x43 y0)  (y 0)
Iteration 3:
 is unsatisfiable
Return value: [xT, y0]
Procedure 𝛼CP()
𝑦 = 𝑥 + (−𝑥)

(x = 43)
 (y = 0)
[x43,
y0]
γ
𝑎#
S

[x43,y0]
Concrete
Values
Formulas
Abstract
Values
Procedure 𝛼CP()
(𝑦 = 𝑥 + −𝑥 )
 ((x = 43)  (y = 0))
[x43,
y0]
𝑎#
Concrete
Values
Formulas
Abstract
Values
Example: 𝛼 CP(𝑦 = 𝑥 + (−𝑥))
. . .
𝑎# := [x43, y0]
 = (𝑦 = 𝑥 + −𝑥 )  ((x = 43)  (y = 0))
Iteration 2: S := [x46,y0] // A satisfying store
𝑎# := [x43,y0]   ([x46,y0])
= [x43, y0]  [x46,y0]
= [xT, y0]
γ(𝑎 # ) = (y = 0)
 := (𝑦 = 𝑥 + −𝑥 )  (y = 0)
Iteration 3:
 is unsatisfiable
Return value: [xT, y0]
Procedure 𝛼CP()
(𝑦 = 𝑥 + −𝑥 )
 ((x = 43)  (y = 0))

[x46,
y0]
S

[x43,
y0]
[x46,y0]
Concrete
Values
Formulas
Abstract
Values
Procedure 𝛼CP()
(𝑦 = 𝑥 + −𝑥 )
 ((x = 43)  (y = 0))
[xT, y0]

S
γ
(y = 0)
𝑎#

[x46,y0]
Concrete
Values
Formulas
Abstract
Values
Procedure 𝛼CP()
 𝑦 = 𝑥 + −𝑥 
𝑦 = 𝑥 + −𝑥
 (y = 0)
[xT, y0]
𝑎#

Concrete
Values
unsat
Formulas
Abstract
Values
The Idea Behind Best = T  
(a)T
(a)
a

(a)
T
Formulas
Abstract
Values
The Idea Behind Best = T  
(a)T
(a)
a

(a)
T
Formulas
Abstract
Values
The Idea Behind Best = T  

(a)T

(a)
a

ans
(a)
T
Formulas
Abstract
Values
The Idea Behind Best = T  

(a)T

(a)
a

ans
(a)
T
Formulas
Abstract
Values
Procedure Best
Best(two-store-formula T, abs-store a) {
ans’ := ’
 := (a)  T
while ( is satisfiable) {
Select a store pair (S,S ’) such that (S,S ’)  
ans’ := ans’   ’(S ’)
 :=   ’(ans’)
}
return ans’
}
Best((x’ = y * z)  (y’ = y)  (z’ = z),
[xT, yT, z0])
Initialization:
ans’ := ’
 := (z = 0)  (x’ = y * z)  (y’ = y)  (z’ = z)
Iteration 1:
(S,S ’) := [x  5, y  17, z  0,
x’ 0, y’ 17, z’ 0]
The Idea Behind Best = T  
[ x’0, y’17, z’0]
(a)T
(a)
a

(a)
[x5, y17, z0]
T
Formulas
Abstract
Values
Best((x’ = y * z)  (y’ = y)  (z’ = z),
[xT, yT, z0])
Initialization:
ans’ := ’
 := (z = 0)  (x’ = y * z)  (y’ = y)  (z’ = z)
Iteration 1:
(S,S ’) := [x  5, y  17, z  0,
x’ 0, y’ 17, z’ 0]
ans’ := [x’0, y’17, z’0]
’(ans’) = (x’= 0)  (y’= 17)  (z’= 0)
 := (z = 0)  (x’ = y*z)  (y’ = y)  (z’ = z)  (y’  17)
Best((x’ = y * z)  (y’ = y)  (z’ = z),
[xT, yT, z0])
Iteration 2:
(S,S ’) := [x 12, y  99, z  0,
x’ 0, y’ 99, z’ 0]
ans’ := [x’0, y’17, z’0]  [x’0, y’99,
z’0]
= [x’0, y’T, z’0]
’(ans’) = (x’= 0)  (z’= 0)
 := (z = 0)  (x’ = y * z)  (y’ = y)  (z’ = z)
 (y’  17)  ((x’  0)  (z’  0))
= false
Iteration 3:  is unsatisfiable
Best(y = x  next,
)
x
u
u1
r[x]
r[x]
. . .  (y’(v)   v1: x(v1)  n(v1,v))  . . .
y’
r[x]’
x’
x
u1
r[x]
r[x]’,r[y]’ r[x]’,r[y]’
u2
y r[x]
u3
r[x]’,r[y]’
u4
r[x]
x
u2
u1
r[x]
r[x],r[y]
u
r[x],r[y]
r[x]
Predicate Abstraction
y := 3
x := 4*y + 1
[x  13, y  3]
{ B1  (y = 1), B2  (y = 3), B3  (y = 4),
B4  (x = 1), B5  (x = 3), B6  (x = 4) }
B1  B2  B3  B4  B5  B6
y = 3  x {1, 3, 4}
[x  13, y  3]
Three Value-Spaces
[x0, y3]
[x5, y3]
(B1, B2,B3,
B4,B5,B6)
(y ≠ 1)  (y = 3)
 (y ≠ 4)  (x ≠ 1)
 (x ≠ 3)  (x ≠ 4)


[x17, y3]
Concrete
Values
Formulas
Abstract
Values
Three Value-Spaces
(B1, B2,B3,B6)
(y ≠ 1)  (y = 3)
 (y ≠ 4)  (x ≠ 4)
T[x := x+1]
(y ≠ 1)  (y = 3)
 (y ≠ 4)  (x ≠ 1)
 (x ≠ 3)  (x ≠ 4)
Concrete
Values
Formulas
α
αT
(B1, B2,B3,
B4,B5,B6)

Abstract
Values
Predicate Abstraction
• Abstract values
(B1, B2, B3, B4, B5, B6)
• Apply , which performs  symbolically
(y ≠ 1)  (y = 3)  (y ≠ 4)  (x ≠ 1)  (x ≠ 3)  (x ≠ 4)
• Apply T, which implements α  T
α PA: Most-Precise Abstract Value
[Predicate Abstraction]
(y = 3)
 (x = 4*y + 1)
(B1, B2,B3,
B4,B5,B6)
αPA
Concrete
Values
Formulas
Abstract
Values
α PA: Most-Precise Abstract Value
[Predicate Abstraction]
if  is
unsatisfiable
false
PA() =

k
j=1
Bj if   j is valid
Bj if   j is valid
true otherwise
PA((y = 3)  (x = 4*y + 1)) =
otherwise
B1, B2, B3,
B4, B5, B6
(y = 3)  (x = 4*y + 1)  (y = 1)
(y = 3)  (x = 4*y + 1)  (y = 3)
(y = 3)  (x = 4*y + 1)  (y = 4)
α PA: Most-Precise Abstract Value
[Predicate Abstraction]
if  is
unsatisfiable
false
PA() =

k
j=1
Bj if   j is valid
Bj if   j is valid
true otherwise
PA((y = 3)  (x = 4*y + 1)) =
otherwise
B1, B2, B3,
B4, B5, B6
(y = 3)  (x = 4*y + 1)  (x = 1)
(y = 3)  (x = 4*y + 1)  (x = 3)
(y = 3)  (x = 4*y + 1)  (x = 4)
Procedure PA vs. General 
PA
S  i

i
i
S

 (ansi-1)
Concrete
Values
Abstract
Values
Formulas
Concrete
Values
Formulas
ansi = ansi-1 (S)
ansi-1
Abstract
Values
Open Questions
• Infinite height domains
• Different algorithms for best transformers
– Can we go down from 
– No counter examples
– Use symbolic counter examples
• Can we operate on formulas directly?
• Lower bounds on the problem of computing
the best transformer
Bibliography
• Susanne Graf, Hassen Saïdi: Construction of Abstract State Graphs
with PVS. CAV 1997: 72-83
• Thomas W. Reps, Shmuel Sagiv, Greta Yorsh:
Symbolic Implementation of the Best Transformer. VMCAI 2004:
252-266
• Aditya V. Thakur, Thomas W. Reps:
A Generalization of Stålmarck's Method. SAS 2012: 334-351
• Aditya V. Thakur, Matt Elder, Thomas W. Reps:
Bilateral Algorithms for Symbolic Abstraction. SAS 2012: 111-128
• Aditya V. Thakur, Thomas W. Reps:
A Generalization of Stålmarck's Method. SAS 2012: 334-351
• Vijay D'Silva, Leopold Haller, Daniel Kroening:
Abstract satisfaction. POPL 2014: 139-150
Summary
• Requirements
– Finite-height abstract domain
– Theorem prover that returns a satisfying structure (store)
– (S) =
sS (S)
– Symbolic-concretization operation ()

• () – best abstract value that represents 
• Best(T,a) – best abstract transformer