Widening as Abstract Domain

Veri cation using static analysis often hinges on precise numeric invariants. Numeric domains of in nite height can infer these invariants, but require widening/narrowing which complicates the xpoint computation and is often too imprecise. As a consequence, several strategies have been proposed to prevent a precision loss during widening or to narrow in a smarter way. Most of these strategies are di cult to retro t into an existing analysis as they either require a pre-analysis, an on-they modi cation of the CFG, or modi cations to the xpoint algorithm. We propose to encode widening and its various re nements from the literature as co bered abstract domains that wrap standard numeric domains, thereby providing a modular way to add numeric analysis to any static analysis, that is, without modifying the xpoint engine. Since these domains cannot make any assumptions about the structure of the program, our approach is suitable to the analysis of executables, where the (potentially irreducible) CFG is re-constructed on-they. Moreover, our domain-based approach not only mirrors the precision of more intrusive approaches in the literature but also requires fewer iterations to nd a xpoint of loops than many heuristics that merely aim for precision. Adding numeric domains of in nite height to a static analysis requires that widening and/or narrowing is applied within each loop of the program to ensure termination [7]. Commonly, this is implemented by modifying the xpoint algorithm to perform upward and downward iterations while a pre-analysis determines necessary widening points. Firstly, downward iterations can be problematic since a widened state can induce a precision loss in other domains that cannot be reverted with the narrowed numeric state [17]. Secondly, determining a minimal set of widening points requires non-trivial algorithms for irreducible control ow graphs (CFGs) [6]. Worse, these algorithms cannot be applied in the context of analyzing machine code, as the CFG is re-constructed on-they while computing the xpoint [3]. Moreover, narrowing alone is often not enough to obtain precise xpoints which has been illustrated in many papers that present improved widenings/narrowings [10,11,12,15,17]. All of these approaches require disruptive changes to the xpoint engine, for instance, tracking several abstract states [10,12], temporarily disabling parts of the CFG [11], performing a preanalysis with di erent semantics [13,15], collecting \landmarks" [17] or referring to user-supplied thresholds [5]. This paper shows that widening and its various re nements can be implemented without modifying an existing xpoint engine, thereby making numeric domains available to analyses that are oblivious to the