Specification and Proof of Higher-Order Programs

interpretation. Another way to deal with the infinite number of states is to only consider a finite number of abstract states. Each possible state of the program is mapped to an abstract state. Each instruction, which was modeled as a transition between concrete states in model checking, now becomes a transition between abstract states. The mapping from concrete to abstract states is also called abstraction. The properties to be verified, initially formulated for concrete states, are reformulated to deal with abstract states instead. The transition diagram now becomes finite again and can be exhaustively explored, similar to the way model checking works. This method of abstracting the search space is called abstract interpretation (Cousot and Cousot, 1979), and it has been used to verify properties of a large number of industrial-sized programs. The verifier Astree (Blanchet et al., 2003) and the commercial tool The Mathworks Polyspace, among others, are based on abstract interpretation.