Widening for Control-Flow

  • Ben Hardekopf
  • Ben Wiedermann
  • Berkeley Churchill
  • Vineeth Kashyap
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8318)


We present a parameterized widening operator that determines the control-flow sensitivity of an analysis, i.e., its flow-sensitivity, context-sensitivity, and path-sensitivity. By instantiating the operator’s parameter in different ways, the analysis can be tuned to arbitrary sensitivities without changing the abstract semantics of the analysis itself. Similarly, the analysis can be implemented so that its sensitivity can be tuned without changing the analysis implementation. Thus, the sensitivity is an independent concern, allowing the analysis designer to design and implement the analysis without worrying about its sensitivity and then easily experiment with different sensitivities after the fact. Additionally, we show that the space of control-flow sensitivities induced by this widening operator forms a lattice. The lattice meet and join operators are the product and sum of sensitivities, respectively. They can be used to automatically create new sensitivities from existing ones without manual effort. The sum operation in particular is a novel construction, which creates a new sensitivity less precise than either of its operands but containing elements of both.


Analysis Designer Widening Operator Abstract Interpretation Reachable State Execution Path 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ashley, J.M., Dybvig, R.K.: A practical and flexible flow analysis for higher-order languages. ACM Transactions on Programming Languages and Systems (TOPLAS) 20(4) (July 1998)Google Scholar
  2. 2.
    Ball, T., Majumdar, R., Millstein, T.D., Rajamani, S.K.: Automatic predicate abstraction of C programs. In: ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI (2001)Google Scholar
  3. 3.
    Banning, J.P.: An efficient way to find the side effects of procedure calls and the aliases of variables. In: ACM SIGPLAN Symposium on Principles of Programming Languages, POPL (1979)Google Scholar
  4. 4.
    Bartzis, C., Bultan, T.: Widening arithmetic automata. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 321–333. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: The ASTREÉ Analyzer. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 21–30. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: ACM SIGPLAN Symposium on Principles of Programming Languages, POPL (1977)Google Scholar
  7. 7.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: ACM SIGPLAN Symposium on Principles of Programming Languages, POPL (1979)Google Scholar
  8. 8.
    Cousot, P., Cousot, R.: Invited Talk: Higher Order Abstract Interpretation (and Application to Comportment Analysis Generalizing Strictness, Termination, Projection, and PER Analysis of Functional Languages), invited paper Google Scholar
  9. 9.
    Das, M., Lerner, S., Seigle, M.: ESP: path-sensitive program verification in polynomial time. In: ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI (2002)Google Scholar
  10. 10.
    Fischer, J., Jhala, R., Majumdar, R.: Joining dataflow with predicates. In: European Software Engineering Conference (2005)Google Scholar
  11. 11.
    Handjieva, M., Tzolovski, S.: Refining static analyses by trace-based partitioning using control flow. In: Levi, G. (ed.) SAS 1998. LNCS, vol. 1503, pp. 200–214. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  12. 12.
    Kam, J.B., Ullman, J.D.: Monotone data flow analysis frameworks. Acta Informatica 7 (1977)Google Scholar
  13. 13.
    Kildall, G.A.: A unified approach to global program optimization. In: ACM SIGPLAN Symposium on Principles of Programming Languages, POPL (1973)Google Scholar
  14. 14.
    Lakhotia, A., Boccardo, D.R., Singh, A., Manacero, A.: Context-sensitive analysis of obfuscated x86 executables. In: ACM SIGPLAN Workshop on Partial Evaluation and Program Manipulation, PEPM (2010)Google Scholar
  15. 15.
    Mauborgne, L., Rival, X.: Trace partitioning in abstract interpretation based static analyzers. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 5–20. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Metayer, D.L., Schmidt, D.: Structural operational semantics as a basis for static program analysis. ACM Computing Surveys 28, 340–343 (1996)CrossRefGoogle Scholar
  17. 17.
    Midtgaard, J., Jensen, T.: A calculational approach to control-flow analysis by abstract interpretation. In: Alpuente, M., Vidal, G. (eds.) SAS 2008. LNCS, vol. 5079, pp. 347–362. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Midtgaard, J., Jensen, T.P.: Control-flow analysis of function calls and returns by abstract interpretation. Information and Computation 211, 49–76 (2012)CrossRefzbMATHMathSciNetGoogle Scholar
  19. 19.
    Might, M., Manolios, P.: A posteriori soundness for non-deterministic abstract interpretations. In: Jones, N.D., Müller-Olm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 260–274. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  20. 20.
    Milanova, A., Rountev, A., Ryder, B.G.: Parameterized object sensitivity for points-to analysis for Java. ACM Transactions on Software Engineering and Methodology (TOSEM) 14(1) (January 2005)Google Scholar
  21. 21.
    Nielson, F., Nielson, H.R.: Interprocedural control flow analysis. In: Swierstra, S.D. (ed.) ESOP 1999. LNCS, vol. 1576, pp. 20–39. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  22. 22.
    Reynolds, J.C.: Definitional interpreters for higher-order programming languages. In: ACM Annual Conference (1972)Google Scholar
  23. 23.
    Rival, X., Mauborgne, L.: The trace partitioning abstract domain. ACM Transactions on Programming Languages and Systems (TOPLAS) 29(5) (August 2007)Google Scholar
  24. 24.
    Schmidt, D.A.: Natural-Semantics-Based abstract interpretation. In: Mycroft, A. (ed.) SAS 1995. LNCS, vol. 983, pp. 1–18. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  25. 25.
    Schmidt, D.A.: Abstract interpretation of small-step semantics. In: Dam, M. (ed.) LOMAPS-WS 1996. LNCS, vol. 1192, pp. 76–99. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  26. 26.
    Shivers, O.: Control-Flow Analysis of Higher-Order Languages, or Taming Lambda. Ph.D. thesis, School of Computer Science, Carnegie Mellon University, Pittsburgh, Pennsylvania, technical Report CMU-CS-91-145 (May 1991)Google Scholar
  27. 27.
    Smaragdakis, Y., Bravenboer, M., Lhoták, O.: Pick your contexts well: understanding object-sensitivity. In: ACM SIGPLAN Symposium on Principles of Programming Languages, POPL (2011)Google Scholar
  28. 28.
    Van Horn, D., Might, M.: Abstracting abstract machines. In: ACM SIGPLAN International Conference on Functional programming, ICFP (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Ben Hardekopf
    • 1
  • Ben Wiedermann
    • 2
  • Berkeley Churchill
    • 3
  • Vineeth Kashyap
    • 1
  1. 1.University of California, Santa BarbaraUSA
  2. 2.Harvey Mudd CollegeUSA
  3. 3.Stanford UniversityUSA

Personalised recommendations