A suite of abstract domains for static analysis of string values

interpretation is a theory to define and soundly approximate the semantics of a program [8, 9], focusing on some runtime properties of interest. Usually, each concrete state is composed by a set of elements (e.g., all the possible computational states), that is approximated by a unique element in the abstract domain. Formally, the concrete domain ℘(D) forms a complete lattice 〈℘(D),⊆, ∅,D,∪,∩〉. On this domain, a concrete semantics S is defined. In the same way, an abstract semantics is defined, and it is aimed to approximate the concrete one in a computable way. Formally, the abstract domain A has to form a complete lattice 〈A,≤A,⊥A,>A,tA,uA〉. The concrete and abstract domains are related by a concretization γA and an abstraction αA functions, and, in order to obtain a sound analysis, these have to form a Galois connection. Formally, 〈℘(D),⊆〉 −−−→ ←−−− αA γA 〈A,≤A〉. One function univocally identifies the other, and in the rest of the paper we will focus on concretization-based Galois connection, and in particular on the following theorem (Proposition 7 of [10]). Theorem 1.1 (Concretization-based Galois connection) Let the concretization function γA : A→ ℘(D) be a complete meet preserving map. Define the abstraction function by αA = λY. uA {z : γA(z) ⊆ Y}. If αA is well-defined then 〈℘(D),⊆〉 −−−→ ←−−− αA γA 〈A,≤A〉. When abstract domains do not satisfy the ascending chain condition, a widening operator ∇A is required in order to guarantee the convergence of the fixed point computation. This is an upper bound operator such that for all increasing chains a0 ≤A . . . an ≤A . . . the increasing chain defined as w0 = a0, . . . ,wi+1 = wi∇Aai+1 converges after a finite number of steps [5]. An abstract semantics S is a sound approximation of the concrete one if ∀a ∈ A : γA(SJaK) ⊇ SJγA(a)K.