Static Analysis By Abstract Interpretation
Jeffrey Goh, Peiyu Xiong, Yingying Wang November 20, 2019 Goals for today
● Get a brief understanding of Static Analysis and Abstract Interpretation ● Design an Abstract Interpreter to analyze a simple program
2 Outline
● Introduction to Static Analysis ○ What is static analysis ○ Why we need static analysis ○ What can we use static analysis for ● Concrete vs. Abstract Interpretation ● Design an Abstract Interpreter: Sign Analysis ● Theoretical Guarantees for Sound Approximation ● Summary ● References
3 Bugs are Everywhere
“Program testing can be used to show the presence of bugs, but never to show their absence.” - Edsger W. Dijkstra, 1970 [1]
4 Picture: Patrick Cousot, ICSME’14. https://www.di.ens.fr/~cousot/publications.www/slides-public/2014-10-02-PCousot-ICSME-1-1.pdf [1]: Edsger W. Dijkstra. Notes on structured programming. Technical Report EWD249, Technological University Eindhoven, 1970. Better to Prove the Absence of Bugs!
5 Picture: Patrick Cousot, ICSME’14. https://www.di.ens.fr/~cousot/publications.www/slides-public/2014-10-02-PCousot-ICSME-1-1.pdf Applications of Static Analysis
● Program optimization, e.g., ○ Dead code detection ○ Loop invariants ○ Automatic parallelization ● Program correctness, e.g., ○ Type inference ○ Null pointer dereferences ○ Division by zero error ○ Security vulnerabilities ● Program development, e.g., ○ Debugging ○ Refactoring ○ Program understanding
6 Introduction to Static Analysis
● Analyze program without running it ● Overview: ○ Type Analysis ○ Dataflow Analysis ○ Point-to Analysis ○ … ○ Abstract Interpretation
7 Introduction to Static Analysis
● Analyze program without running it ● Overview: ○ Type Analysis ○ Dataflow Analysis ○ Point-to Analysis ○ … ○ Abstract Interpretation
8 Example: Array Index Out of Bound Problem
● I: index of an array ● Examine i for array index out-of-bound exception
i := 0
i := 0; while (i<5) do while (i<5) ... i := i+2 …
i := i+2
9 Example: Array Index Out of Bound Problem
● I: index of an array ● Examine i for array index out-of-bound exception
i := 0 {0}
i := 0; while (i<5) do while (i<5) ... i := i+2 {0} ∅ …
i := i+2 {2}
10 Example: Array Index Out of Bound Problem
● i: index of an array ● Examine i for array index out-of-bound exception
i := 0 {0}
i := 0; while (i<5) do while (i<5) ... i := i+2 {0,2} ∅ …
i := i+2 {2,4}
11 Example: Array Index Out of Bound Problem
● i: index of an array ● Examine i for array index out-of-bound exception
i := 0 {0}
i := 0; while (i<5) do while (i<5) ... i := i+2 {0,2,4} ∅ …
i := i+2 {2,4,6}
12 Example: Array Index Out of Bound Problem
● i: index of an array ● Examine i for array index out-of-bound exception
i := 0 {0}
i := 0; while (i<5) do while (i<5) ... i := i+2 {0,2,4,6} {6} …
i := i+2 {2,4,6}
Concrete Interpretation 13 Expensive When Program Scales
● i: index of an array ● Examine i for array index out-of-bound exception
i := 0 {0}
i := 0; while (i<500) do whilewhile (i< (i<5)500 ) ... i := i+2 {0,2,4,....., 500} {500} …
i := i+2 {2,4,....., 500}
Concrete Interpretation 14 Expensive When Program Scales
● i: index of an array ● Examine i for array index out-of-bound exception
i := 0 {0}
i := 0; while (i<500) do whilewhile (i< (i<5)500 ) ... i := i+2 {0,2,4,....., 500} {500} …
i := i+2 {2,4,....., 500}
Concrete Interpretation 15 Rather, Use AbstractAbstract InterpretationInterpretation
● i: index of an array
● Examine i for array index out-of-bound exception Only care about - min(i) - max(i)
i := 0 [0, 0]
i := 0; while (i<500) do while (i<500) ... i := i+2 [0, 0] ∅ …
i := i+2 [2, 2]
16 Rather, Use AbstractAbstract InterpretationInterpretation
● i: index of an array
● Examine i for array index out-of-bound exception Only care about - min(i) - max(i)
i := 0 [0, 0]
i := 0; while (i<500) do while (i<500) ... i := i+2 [0, 2] ∅ …
i := i+2 [2, 4]
17 Rather, Use AbstractAbstract InterpretationInterpretation
● i: index of an array
● Examine i for array index out-of-bound exception Only care about - min(i) - max(i)
i := 0 [0, 0]
i := 0; while (i<500) do while (i<500) ... i := i+2 [0, 4] ∅ …
i := i+2 [2, 6]
18 Rather, Use AbstractAbstract InterpretationInterpretation
● i: index of an array
● Examine i for array index out-of-bound exception Only care about - min(i) - max(i)
i := 0 [0, 0]
i := 0; while (i<500) do while (i<500) ... i := i+2 [0, 498] ∅ …
i := i+2 [2, 500]
19 Rather, Use AbstractAbstract InterpretationInterpretation
● i: index of an array
● Examine i for array index out-of-bound exception Only care about - min(i) - max(i)
i := 0 [0, 0]
i := 0; while (i<500) do while (i<500) ... i := i+2 [0, 500] [500,500] …
i := i+2 [2, 500]
20 RE Ron’s Question: What is Abstract Interpretation (AI)?
● Formal verification ○ Proving that its semantics (describing "what the program executions actually do") satisfies its specification (describing "what the program executions are supposed to do"). ● Sound approximation of the semantics of computer programs ○ No conclusion derived from the abstract semantics is wrong relative to the program concrete semantics and specification
● May result in false alarm/ false positives
21 Abstraction must be Sound
Error / Failure / Unexpected behavior ..
22
Diagram inspired by: Patrick Cousot, ICSME’14. https://www.di.ens.fr/~cousot/publications.www/slides-public/2014-10-02-PCousot-ICSME-1-1.pdf Abstraction should be Precise
Error / Failure / Unexpected behavior ..
23
Diagram inspired by: Patrick Cousot, ICSME’14. https://www.di.ens.fr/~cousot/publications.www/slides-public/2014-10-02-PCousot-ICSME-1-1.pdf Abstraction should be Precise
Error / Failure / Unexpected behavior ..
Acceptable (but not ideal)
24
Diagram inspired by: Patrick Cousot, ICSME’14. https://www.di.ens.fr/~cousot/publications.www/slides-public/2014-10-02-PCousot-ICSME-1-1.pdf Abstraction should be Precise
Error / Failure / Unexpected behavior ..
Better
25
Diagram inspired by: Patrick Cousot, ICSME’14. https://www.di.ens.fr/~cousot/publications.www/slides-public/2014-10-02-PCousot-ICSME-1-1.pdf Abstraction should be Precise
Error / Failure / Unexpected behavior ..
Much Better!
26
Diagram inspired by: Patrick Cousot, ICSME’14. https://www.di.ens.fr/~cousot/publications.www/slides-public/2014-10-02-PCousot-ICSME-1-1.pdf Abstract Interpretation Processes
Concrete Domain
Concrete value C
Operational Semantics
Concrete value C’
27 Abstract Interpretation Processes
Concrete Domain ❶ Abstract Domain
Concrete value C Abstract value A
Operational Semantics
Concrete value C’ Abstract value A’
28 Abstract Interpretation Processes
Concrete Domain ❶ Abstract Domain
Concrete value C Abstract value A ❷ Abstraction (α)
Operational Semantics
❷ Concretization (후) Concrete value C’ Abstract value A’
29 Abstract Interpretation Processes
Concrete Domain ❶ Abstract Domain
Concrete value C Abstract value A ❷ Abstraction (α) ❸ Operational Abstract Semantics semantics ❷ Concretization (후) Concrete value C’ Abstract value A’
30 Is x always ≥ 0 in this program?
Sign Analysis: x = 0; • Tracks the sign (+, -, 0) of variables y = 1; while (y<=n) Can be used for: { • if (z==0){ Program correctness: x = x+1; • Division by zero } • Banking program erroneously allow for negative else{ values x=x+y; } • Program optimization: y=y+1; • Store pos values as unsigned integers or 0s as } “false” Boolean literals
• ... 31 Abstract Interpretation Processes
Concrete Domain ❶ Abstract Domain
Concrete value C Abstract value A ❷ Abstraction (α) ❸ Operational Abstract Semantics semantics ❷ Concretization (후) Concrete value C’ Abstract value A’
32 Step 1: Design an Abstract Domain
Is x always ≥0 in this program?
● Select the Abstract Property: Sign of integers
● Identify the Abstract Domain: Sign = { + , - , 0 }
33 Abstract Interpretation Processes
Concrete Domain ❶ Abstract Domain
Concrete value C Abstract value A ❷ Abstraction (훂) ❸ Operational Abstract Semantics semantics
❷ Concretization (후) Concrete value C’ Abstract value A’
34 Step 2: Abstraction and Concretization Functions
● Abstraction function (훂): maps sets of concrete elements to the most precise value in the abstract domain
훂
35 Step 2: Abstraction and Concretization Functions
● Concretization function (후): maps abstract value back to the sets of concrete elements
후
후
36 Quiz! (Kidding)
Syntax
Function definition Concrete (Eval) & Abstract (AEval)
Prove the following propositions:
37 Example from John A. Paulson. Abstract Interpretation. 2015. https://www.seas.harvard.edu/courses/cs252/2015fa/lectures/Lec05-AbstractInt.pdf Abstract Interpretation Processes
Concrete Domain ❶ Abstract Domain
Concrete value C Abstract value A ❷ Abstraction (α) ❸ Operational Abstract Semantics semantics
❷ Concretization (후) Concrete value C’ Abstract value A’
38 Step 3: Abstract Semantics
To ensure the soundness of abstract interpretation, the abstract semantics must faithfully models concrete semantics
39 * Diagram: Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf Step 3: Abstract Semantics
Assumption: assume abstract semantics for control structures (if-condition and while-loop) have relatively similar structure in operational semantics. 40 Step 3: Abstract Semantics
Addition Subtraction Multiplication
Boolean
41 Diagrams from Anders Møller and Michael I. Schwartzbach. Static Program Analysis Part 3 - lattices and fixpoints. https://cs.au.dk/~amoeller/spa/3%20-%20lattices%20and%20fixpoints.pdf Z => Zero P => Positive
x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; }
42 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; }
43 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; }
44 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf Conclude all possible behaviors → go into all branches in this program
x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; }
45 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; }
46 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; }
47 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; }
48 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; }
49 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; }
50 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; }
51 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; } Combine the solution from two branch
52 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf Second Iteration
x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; }
• When the information mismatch → take the union of them 53 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf Second Iteration
x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; }
• When the information mismatch → take the union of them 54 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf Third Iteration
x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; }
• No update from more iterations → reach the fixed point of the program
• Stable Over Approximation from fixed point program 55 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf x is never less than 0 !
x = 0; y = 1;
while (y<=n) { if (z==0){ x = x+1; } else{ x=x+y; } y=y+1; }
56 Example from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf Limitations of Abstract Interpretation: lost precision
57 Example from Emina Torlak. Static Analysis. Lecture Note. 2016. https://courses.cs.washington.edu/courses/cse403/16au/lectures/L15.pdf The Abstraction should be Built based on the Needs
58 Slide from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf Theoretical guarantees for safe approximation?
59 Theoretical guarantees for safe approximation? ● Abstract Domain is a Lattice with finite height ● Abstraction function (훂) and Concretization function (후) form a Galois Insertion
60 Background, Set Theory: Partial orders
Partial order (S, ⊑) is a binary relation ⊑ on set S that satisfies: • Reflexivity: ∀x ∈ S. x⊑x • Transitivity: ∀x,y,z ∈ S. x⊑y ⋀ y⊑z ⟹ x⊑z • Anti-symmetry: ∀x,y ∈ S. x⊑y ⋀ y⊑x ⟹ x=y
61 Background, Set Theory: Partial orders
Partial order (S, ⊑) is a binary relation ⊑ on set S that satisfies: • Reflexivity: ∀x ∈ S. x⊑x • Transitivity: ∀x,y,z ∈ S. x⊑y ⋀ y⊑z ⟹ x⊑z • Anti-symmetry: ∀x,y ∈ S. x⊑y ⋀ y⊑x ⟹ x=y Assume • a set S = {1, 2, 3, 6, 8, 12, 24} • Binary relation “can be divided by”
62 Background, Set Theory: Partial orders
Partial order (S, ⊑) is a binary relation ⊑ on set S that satisfies: • Reflexivity: ∀x ∈ S. x⊑x • Transitivity: ∀x,y,z ∈ S. x⊑y ⋀ y⊑z ⟹ x⊑z • Anti-symmetry: ∀x,y ∈ S. x⊑y ⋀ y⊑x ⟹ x=y Assume • a set S = {1, 2, 3, 6, 8, 12, 24} • Binary relation “can be divided by” Choose subset X = {2,3}, we get compute: 2 3
63 Background, Set Theory: Partial orders
Partial order (S, ⊑) is a binary relation ⊑ on set S that satisfies: • Reflexivity: ∀x ∈ S. x⊑x • Transitivity: ∀x,y,z ∈ S. x⊑y ⋀ y⊑z ⟹ x⊑z • Anti-symmetry: ∀x,y ∈ S. x⊑y ⋀ y⊑x ⟹ x=y 3 Assume 24 • a set S = {1, 2, 3, 6, 8, 12, 24} 12
• Binary relation “can be divided by” 6 Choose subset X = {2,3}, we get compute: 2 3 • Upper bound: {6,12,24}
64 Background, Set Theory: Partial orders
Partial order (S, ⊑) is a binary relation ⊑ on set S that satisfies: • Reflexivity: ∀x ∈ S. x⊑x • Transitivity: ∀x,y,z ∈ S. x⊑y ⋀ y⊑z ⟹ x⊑z • Anti-symmetry: ∀x,y ∈ S. x⊑y ⋀ y⊑x ⟹ x=y Assume • a set S = {1, 2, 3, 6, 8, 12, 24} • Binary relation “can be divided by” Choose subset X = {2,3}, we get compute: 2 3 • Upper bound: {6,12,24} • Lower bound: {1} 1
65 Background, Set Theory: Partial orders
Partial order (S, ⊑) is a binary relation ⊑ on set S that satisfies: • Reflexivity: ∀x ∈ S. x⊑x • Transitivity: ∀x,y,z ∈ S. x⊑y ⋀ y⊑z ⟹ x⊑z • Anti-symmetry: ∀x,y ∈ S. x⊑y ⋀ y⊑x ⟹ x=y 3 Assume 24 • a set S = {1, 2, 3, 6, 8, 12, 24} 12
• Binary relation “can be divided by” 6 Choose subset X = {2,3}, we get compute: 2 3 • Upper bound: {6,12,24} • Lower bound: {1} • Least upper bound (LUB): {6}
66 Background, Set Theory: Partial orders
Partial order (S, ⊑) is a binary relation ⊑ on set S that satisfies: • Reflexivity: ∀x ∈ S. x⊑x • Transitivity: ∀x,y,z ∈ S. x⊑y ⋀ y⊑z ⟹ x⊑z • Anti-symmetry: ∀x,y ∈ S. x⊑y ⋀ y⊑x ⟹ x=y Assume • a set S = {1, 2, 3, 6, 8, 12, 24} • Binary relation “can be divided by” Choose subset X = {2,3}, we get compute: 2 3 • Upper bound: {6,12,24} • Lower bound: {1} 1 • Least upper bound (LUB): {6} • Greatest lower bound (GLB): {1} 67 Background, Set Theory: Lattice
● Lattice def. ○ Partial order (S, ⊑) ○ ∀ a,b ∈S. GLB(a,b) and LUB(a,b) always exists and unique
68
Diagrams from Anders Møller and Michael I. Schwartzbach. Static Program Analysis Part 3 - lattices and fixpoints. https://cs.au.dk/~amoeller/spa/3%20-%20lattices%20and%20fixpoints.pdf Background, Set Theory: Lattice
● Lattice def. ○ Partial order (S, ⊑) ○ ∀ a,b ∈S. GLB(a,b) and LUB(a,b) always exists and unique
69
Diagrams from Anders Møller and Michael I. Schwartzbach. Static Program Analysis Part 3 - lattices and fixpoints. https://cs.au.dk/~amoeller/spa/3%20-%20lattices%20and%20fixpoints.pdf Background, Set Theory: Lattice
● Lattice def. ○ Partial order (S, ⊑) ○ ∀ a,b ∈S. GLB(a,b) and LUB(a,b) always exists and unique
● Lattice height: ○ The length of the longest path from Top to Bottom
70
Diagrams from Anders Møller and Michael I. Schwartzbach. Static Program Analysis Part 3 - lattices and fixpoints. https://cs.au.dk/~amoeller/spa/3%20-%20lattices%20and%20fixpoints.pdf Sign Analysis Example Revisited
Our abstract domain is a (powerset) lattice (with finite height)
(S, ⊑) = (P(Sign), ⊆) 71 Sign Analysis Example Revisited
Our abstract domain is a (powerset) lattice (with finite height)
Lattice so that we can converge the results ● (x = +) ∨ (x = -) ⟹ (x = non-zero)
Finite height so that we can reach the fixed point ● x=0; while (true) {x=x+1} ○ Integer domain: non-termination ○ Sign domain: x = +
(S, ⊑) = (P(Sign), ⊆) 72 Theoretical guarantees for safe approximation? ● Abstract Domain is a Lattice with finite height ● Abstraction function (훂) and Concretization function (후) form a Galois Insertion
73 Theoretical guarantees for safe approximation? ● Abstract Domain is a Lattice with finite height ● Abstraction function (훂) and Concretization function (후) form a Galois Insertion
74 훂, 후 Functions Should Form a Galois Insertion
75 Diagram from Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014.https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf Such that We Can a Sound Approximation
76 Diagrams from Anders Møller and Michael I. Schwartzbach. Static Program Analysis Part 3 - lattices and fixpoints. https://cs.au.dk/~amoeller/spa/3%20-%20lattices%20and%20fixpoints.pdf Summary
77 Racket Your Abstract Interpreter http://matt.might.net/articles/intro-static-analysis/ DrRacket example by Matt Might
78 References
● Patrick Cousot and Radhia Cousot, “Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Constructions or Approximation of Fixpoints”, in Conference Record of the Sixth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 238—252, 1977. http://doi.acm.org/10.1145/512950.512973 ● Vijay D'Silva, Daniel Kroening and Georg Weissenbacher, “A Survey of Automated Techniques for Formal Software Verification”, in IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 27, no. 7, pp. 1165-1178, July 2008. https://ieeexplore.ieee.org/document/4544862 ● Anders Møller and Michael I. Schwartzbach, “Static Program Analysis”, Department of Computer Science, Aarhus. October 2018. https://cs.au.dk/~amoeller/spa/
79 References
Slides partially taken from / inspired by: ● Patrick Cousot, ICSME, 2014. https://www.di.ens.fr/~cousot/COUSOTtalks/ICSME14.shtml ● Işil Dillig. A Gentle Introduction to Program Analysis. Programming Languages Mentoring Workshop. January 2014. https://www.cis.upenn.edu/~alur/CIS673/isil-plmw.pdf ● Susan B. Horwitz. Abstract Interpretation. 2013. http://pages.cs.wisc.edu/~horwitz/CS704-NOTES/10.ABSTRACT-INTERPRETATION.ht ml ● Anders Møller and Michael I. Schwartzbach. Static Program Analysis Part 3 - Lattices and Fixpoints. https://cs.au.dk/~amoeller/spa/3%20-%20lattices%20and%20fixpoints.pdf ● Anders Møller and Michael I. Schwartzbach. Static Program Analysis Part 10 - Abstract Interpretation. https://cs.au.dk/~amoeller/spa/10%20-%20abstract%20interpretation.pdf ● John A. Paulson. Abstract Interpretation. 2015. https://www.seas.harvard.edu/courses/cs252/2015fa/lectures/Lec05-AbstractInt.pdf ● Emina Torlak. Static Analysis. 2016.
https://courses.cs.washington.edu/courses/cse403/16au/lectures/L15.pdf 80