Refining Model Checking by Abstract Interpretation

Formal methods combining abstract interpretation and model-checking have been considered for automated analysis of software.In abstract model-checking, the semantics of an infinite transition system is abstracted to get a finite approximation on which temporal-logic/-calculus model-checking can be directly applied.The paper proposes two improvements of abstract model-checking which can be applied to infinite abstract transition systems:iA new combination of forwards and backwards abstract fixed-point model-checking computations for universal safety. It computes a more precise result than that computed by conjunction of the forward and backward analyses alone, without needing to refine the abstraction;When abstraction is unsound (as can happen in minimum/maximum path-length problems), it is proposed to use the partial results of a classical combination of forward and backward abstract interpretation analyses for universal safety in order to reduce, on-the-fly, the concrete state space to be searched by model-checking.     

一种基于抽象解释和通用单调数据流框架的值范围分析方法

安全而又精确的值范围分析对编译器优化至关重要．系统地提出了一个基于抽象解释和通用单调数据流框架的值范围分析框架，包括精确的定叉、分析和完整的正确性证明．与一般的值范围分析方法不同，该框架不仅包括抽象解释，还包括与之对应的具体解释，以及相应的正确性证明．     

基于抽象解释的代码迷惑有效性比较框架

代码迷惑是一种以增加理解难度为目的的程序变换技术,用来保护软件免遭逆向剖析.代码迷惑是否有效是代码迷惑研究中首要解决的问题.目前对有效性证明的研究大都是基于非语义的方式.文章将语义与有效性证明联系起来,建立了基于语义的代码迷惑有效性比较框架,该框架能够为迷惑算法在静态分析这样的限定环境下提供有效性证明,而且也能严格比较迷惑算法之间的有效性,最后使用实例描述比较框架如何应用到证明代码迷惑的有效性.     

单变量区间线性不等式抽象域

程序变量的值范围信息对于编译器优化、程序分析与验证等应用至关重要.抽象解释理论提供了一种通用框架为程序变量计算近似的但是可靠的值范围.然而该框架下已有的数值抽象域在表达非凸性质方面存在一定的局限性,影响了值范围分析的精度.文中基于抽象解释理论,提出一个新的数值抽象域——单变量区间线性不等式抽象域.其主要思想是使用单变量区间线性不等式约束作为域元素的约束表示方法.该抽象域的表达能力强于经典的区间抽象域,并允许表达某类非凸、非连通性质.同时,其域操作存在高效的实现算法.该抽象域具有很强的可扩展性,能够应用在实际大规模的程序分析中.     

Generalized Strong Preservation by Abstract Interpretation

Standard abstract model checking relies on abstract Kripke structureswhich approximate concrete models by gluing together indistinguishablestates, namely by a partition of the concrete state space. Strongpreservation for a specification language amounts to the equivalence of concrete and abstractmodel checking of formulas in . We show how abstract interpretation can be used to designgeneric abstract models that allow to view standard abstractKripke structures as particular instances. Accordingly, strongpreservation is generalized to abstract interpretation-basedmodels and precisely related to the concept of completenessin abstract interpretation. The problem of minimally refiningan abstract model in order to make it strongly preserving forsome language can be formulatedas a minimal domain refinement in abstract interpretation inorder to get completeness w.r.t. the logical/temporal operatorsof . It turns out thatthis refined strongly preserving abstract model always existsand can be characterized as a greatest fixed point. As a consequence,some well-known behavioural equivalences, like bisimulation,simulation and stuttering, and their corresponding partitionrefinement algorithms can be elegantly characterized in abstractinterpretation as completeness properties and refinements.     

Trace-Based Abstract Interpretation of Operational Semantics

We present trace-based abstract interpretation, a unification of severallines of research on applying Cousot-Cousot-style abstract interpretation a.i. tooperational semantics definitions (such as flowchart, big-step, and small-step semantics)that express a programs semantics as a concrete computation tree of trace paths. Aprograms trace-based a.i. is also a computation tree whose nodes contain abstractions ofstate and whose paths simulate the paths in the programs concrete computation tree.Using such computation trees, we provide a simple explanation of the central concept of collecting semantics, and we distinguish concrete from abstract collectingsemantics and state-based from path-based collecting semantics. We also expose therelationship between collecting semantics extraction and results garnered from flow-analytic and model-checking-based analysis techniques. We adapt concepts fromconcurrency theory to formalize safe and live a.i.s for computation trees; in particular, coinduction techniques help extend fundamental results to infinite computation trees.Problems specific to the various operational semantics methodologies are discussed: Big-step semantics cannot express divergence, so we employ a mixture of induction andcoinduction in response; small-step semantics generate sequences of programconfigurations unbounded in size, so we abstractly interpret source language syntax.Applications of trace-based a.i. to data-flow analysis, model checking, closure analysis,and concurrency theory are demonstrated.     

Abstract Interpretation for Termination Analysis in Functional Active Databases

An active database consists of a traditional database supplemented by a set of Event-Condition-Action (ECA) rules. One of the key questions for active database designers is that of termination of the ECA rules. The behaviour of the ECA rules may be obscure and their semantics is often not specified formally. Consequently, developing termination analysis algorithms and proving their correctness is a challenging task. In this paper we address this problem for functional active databases by adopting an abstract interpretation approach. By functional active databases we mean active databases whose transaction execution semantics have been expressed in a purely functional language. Although we demonstrate our techniques for a specific active DBMS which supports a functional database programming language interface, these techniques are directly applicable to other active DBMSs whose execution semantics have been specified using a functional or a denotational approach.