# Abstract Interpretation for Code Analysis and Verification (Week 9)

Yulei Sui

School of Computer Science and Engineering University of New South Wales, Australia

#### Today's class



#### **Topological Order**

- ? How to analyze a program free of loop?
- ✓ Analyze each node once adhering to the topological order on the acyclic control-flow graph of the program.

#### **Topological Order**

#### **Analysis Order of Nodes on Control-Flow Graph**

- ? How to analyze a program free of loop?
- ✓ Analyze each node once adhering to the topological order on the acyclic control-flow graph of the program.

A **topological order** of a graph G(V, E) is a linear ordering of its nodes such that for every directed edge  $a \to b$ , node a always precedes node b in the ordering.

- Must be a direct acyclic graph (DAG) and has at least one topo ordering.
- The ordering respects the **direction of edges**.

#### Example of topological order:



### **How About Analyzing Loops?**

- Topological Order can only be used for directed acyclic graphs (DAGs).
- Weak Topological Order (WTO) is a relaxation of the more stringent topological order for graphs with loops.
  - Cycles Permitted: allows for cycles within the graph.
  - Hierarchical Decomposition: A graph is decomposed into a hierarchical structure where each node or a strongly connected component (SCC) can contain subnodes.
  - Weak Topological Order or Partial Order: In a WTO, nodes and SCCs are arranged in a partial order (not enumerating possible infinite loop paths). This order respects the dependencies in a way that allows for iterative analysis.
  - We will practice loop handling using WTO in Assignment-3. Function recursions will not be handled in this Assignment.

#### **Analysis Order of Nodes on Control-Flow Graph**

- ? How to analyze a program containing loops?
- ✓ We can analyze a program containing loops adhering to the weak topological order (WTO) on its control flow graph.

What is the weak topological order?



Control Flow Graph

#### **Analysis Order of Nodes on Control-Flow Graph**

- How to analyze a program containing loops?
- ✓ We can analyze a program containing loops adhering to the weak topological order (WTO) on its control flow graph.

#### What is the weak topological order?



Control Flow Graph

#### **Analysis Order of Nodes on Control-Flow Graph**

- ? How to analyze a program containing loops?
- ✓ We can analyze a program containing loops adhering to the weak topological order (WTO) on its control flow graph.

#### What is the weak topological order?



- ? How to analyze a program containing loops?
- ✓ We can analyze a program containing loops adhering to the weak topological order (WTO) on its control flow graph.



- ? How to analyze a program containing loops?
- ✓ We can analyze a program containing loops adhering to the weak topological order (WTO) on its control flow graph.



- ? How to analyze a program containing loops?
- ✓ We can analyze a program containing loops adhering to the weak topological order (WTO) on its control flow graph.



- ? How to analyze a program containing loops?
- ✓ We can analyze a program containing loops adhering to the weak topological order (WTO) on its control flow graph.



# WTO, Widening and Narrowing

Why Weak Topological Order (WTO)?

- Handling cyclic dependencies
- Efficient fixed-point computation

#### Why Widening?

- Over-approximation
- Prevent non-termination

#### Why Narrowing?

- Refine precision after widening converges
- The specific conditions or constraints used for narrowing:
  - Loop exit conditions (this course)
  - Type constraints (8-bit integer ranging from [-128, 127])
  - Bounds from arithmetic operations If x = y + z, and  $y \in [1, 5]$  and  $z \in [2, 3]$ , then  $x \in [3, 8]$ . If widening gives [1, 10], narrowing can refine this to [3, 8].
  - User-specification (assertions and guard conditions)

## **Overall Algorithm of Abstract Interpretation in Assignment-3**

```
Algorithm 3: Handle Singleton WTO
                                                                                 Function handleSingletonWTO(singletonWTO):
Algorithm 1: Analyse from main function
                                                                                     node := singletonWTO \rightarrow node():
Function analyse() // driver function to start the analysis:
                                                                                     feasible := mergeStatesFromPredecessors(node.preAbsTrace[node]);
   initWTO():
                                                                                     if feasible then
  handleGlobalNode():
                                                                                        postAbsTrace[node] := preAbsTrace[node];
  if getSVFFunction (main) then
                                                                                     else
      wto := funcToWTO[main]:
      handleWTOComponents(wto → getWTOComponents());
                                                                                        return:
                                                                                     foreach stmt ∈ node → getSVFStmts() do
                                                                                        updateAbsState(stmt);
Algorithm 2: Handle WTO components
                                                                                        bufOverflowDetection(stmt);
Function handleWTOComponents (wtoComps):
                                                                                     if callnode = SVFUtil :: dvn_cast(CallICFGNode)(node) then
   for wtoNode ∈ wtoComps do
                                                                                        \texttt{funName} := \texttt{callnode} \rightarrow \texttt{getCallSite()} \rightarrow \texttt{getCallee()} \rightarrow \texttt{getName()}
      if node = SVFUtil :: dvn_cast(ICFGSingletonWTO)(wtoNode) then
                                                                                          if funName == "OVERFLOW" && funName == "syf assert" then
         handleSingletonWTO(node)
                                                                                           // Handle svf_assert and OVERFLOW stub function for
      else if cycle = SVFUtil :: dyn_cast(ICFGCycleWTO)(wtoNode) then
                                                                                            correctness validation:
         handleCvcleWTO(cvcle)
                                                                                           handleStubFunctions(callnode):
                                                                                14
      else
                                                                                        else
         assert(false&&"unknownWTOtype!")
                                                                                            // Does not analyze recursive functions in this course:
                                                                                           handleCallSite(callnode):
```

### Overall Algorithm of Abstract Interpretation in Assignment-3

```
Algorithm 4: Handle Cycle WTO
1 Function handleCycleWTO (cycle):
     feasible := mergeStatesFromPredecessors(cycle head preAbsTrace[cycle head]):
     increasing := true;
     if Ifeasible then
        return:
     else
        cur iter := 0:
        while true do
я
           if cur_iter >= Options.WidenDelay() then
               prev_head_as := postAbsTrace[cycle_head];
10
              handleSingletonWTO(cycle.head());
               cur_head_as := postAbsTrace[cycle_head];
12
              if increasing then
13
                  postAbsTrace[cvcle_head] := prev_head_as.widening(cur_head_as);
                  if postAbsTrace[cycle_head] == prev_head_as then
15
                     increasing := false;
                     Continue:
17
               else
18
                  postAbsTrace[cvcle_head] := prev_head_as.narrowing(cur_head_as);
                  if postAbsTrace[cvcle_head] == prev_head_as then
20
                     Break:
22
              handleSingletonWTO(cycle.head()):
23
           handleWTOComponents(cvcle-aetWTOComponents());
24
           cur_iter++:
25
```



```
Algorithm 12: Handle Cycle WTO
 Function handleCvcleWTO(cvcle):
      cvcle_head := cvcle \rightarrow head() \rightarrow node() :
      increasing := true :
      cur_iter := 0 :
      while true do
          if cur_iter > Options :: WidenDelay() then
              prev_head_state := postAbsTrace[cycle_head];
              handleSingletonWTO(cycle -> head());
              cur_head_state := postAbsTrace[cycle_head];
              if increasing then
                 postAbsTrace[cvcle_head] := prev_head_state.widen(cur_head_state);
                 if postAbsTrace[cvcle_head] == prev_head_state then
                     increasing := false:
                     continue:
                 postAbsTrace[cycle_head] := prev_head_state.narrow(cur_head_state);
                 if postAbsTrace[cvcle_head] == prev_head_state then
                     break:
19
          else
              handleSingletonWTO(cvcle-head());
          handleWTOComponents());
22
          cur_iter++:
23
```



```
Algorithm 12: Handle Cycle WTO
 Function handleCvcleWTO(cvcle):
      cvcle_head := cvcle \rightarrow head() \rightarrow node() :
      increasing := true :
      cur_iter := 0 :
      while true do
          if cur_iter > Options :: WidenDelay() then
              prev_head_state := postAbsTrace[cycle_head];
              handleSingletonWTO(cycle -> head());
              cur_head_state := postAbsTrace[cvcle_head]:
              if increasing then
                 postAbsTrace[cvcle_head] := prev_head_state.widen(cur_head_state);
                 if postAbsTrace[cvcle_head] == prev_head_state then
                      increasing := false:
                      continue:
                 postAbsTrace[cycle_head] := prev_head_state.narrow(cur_head_state);
                 if postAbsTrace[cvcle_head] == prev_head_state then
                     break:
19
          else
              handleSingletonWTO(cvcle-head());
          handleWTOComponents());
22
          cur_iter++:
23
```



```
Algorithm 12: Handle Cycle WTO
  Function handleCycleWTO(cycle):
      cycle\ head := cycle \rightarrow head() \rightarrow node():
      increasing := true ;
      cur iter := 0:
      while true do
          if cur_iter > Options :: WidenDelay() then
              prev_head_state := postAbsTrace[cvcle_head]:
              handleSingletonWTO(cycle -> head()):
              cur_head_state := postAbsTrace[cycle_head];
              if increasing then
10
                   postAbsTrace[cvcle_head] := prev_head_state.widen(cur_head_state);
                   if postAbsTrace[cycle_head] == prev_head_state then
12
                       increasing := false:
                      continue:
              else
15
                   postAbsTrace[cycle_head] := prev_head_state.narrow(cur_head_state);
                   if postAbsTrace[cvcle_head] == prev_head_state then
                      break:
18
          else
              handleSingletonWTO(cvcle->head()):
          handleWTOComponents(cvcle-)getWTOComponents());
21
          cur iter++:
22
```



```
Algorithm 12: Handle Cycle WTO
  Function handleCycleWTO(cycle):
      cvcle\_head := cvcle \rightarrow head() \rightarrow node() :
      increasing := true :
      cur iter := 0 :
      while true do
          if cur_iter > Options :: WidenDelay() then
               prev_head_state := postAbsTrace[cvcle_head]:
              handleSingletonWTO(cvcle-head()):
              cur_head_state := postAbsTrace[cycle_head];
10
              if increasing then
                   postAbsTrace[cycle_head] := prev_head_state.widen(cur_head_state);
                   if postAbsTrace[cvcle_head] == prev_head_state then
12
                       increasing := false;
                      continue:
               else
15
                   postAbsTrace[cycle_head] := prev_head_state.narrow(cur_head_state) :
                   if postAbsTrace[cycle_head] == prev_head_state then
                      break:
18
19
              handleSingletonWTO(cvcle->head()):
20
          handleWTOComponents(cvcle-)getWTOComponents());
21
          cur iter++:
22
```



```
Algorithm 12: Handle Cycle WTO
```

```
Function handleCvcleWTD(cvcle):
      cycle head := cycle -> head() -> node() :
      increasing := true :
      cur iter := 0:
      while true do
          if cur_iter > Options :: WidenDelay() then
              prev_head_state := postAbsTrace[cycle_head];
              handleSingletonWTONode(cycle -> head());
              cur_head_state := postAbsTrace[cycle_head];
              if increasing then
10
                  postAbsTrace[cvcle_head] := prev_head_state.widen(cur_head_state) :
                  if postAbsTrace[cvcle_head] == prev_head_state then
                      increasing := false:
13
                      continue:
              else
15
                  postAbsTrace[cvcle_head] := prev_head_state.narrow(cur_head_state) :
                  if postAbsTrace[cycle_head] == prev_head_state then
                   break:
          موام
19
              handleSingletonWTONode(cvcle-head()):
20
          handleWTOComponents(cvcle-)getWTOComponents()):
21
          cur_iter++:
22
```

Note: getIWTOcomponents returns Cycle WTO body, i.e.,  $\ell_3$ 



#### Algorithm 12: Handle Cycle WTO

```
1 Function handleCycleWTD(cycle):
      cycle\_head := cycle \rightarrow head() \rightarrow node();
      increasing := true ;
      cur iter := 0 :
      while true do
           if cur_iter > Options :: WidenDelay() then
              prev_head_state := postAbsTrace[cvcle_head]:
              handleSingletonWTONode(cvcle-head()):
              cur_head_state := postAbsTrace[cycle_head];
              if increasing then
                  postAbsTrace[cvcle_head] := prev_head_state.widen(cur_head_state) :
                  if postAbsTrace[cvcle_head] == prev_head_state then
                       increasing := false:
12
                       continue:
15
                  postAbsTrace[cycle_head] := prev_head_state.narrow(cur_head_state);
                  if postAbsTrace[cvcle_head] == prev_head_state then
                      break :
18
           معام
19
              handleSingletonWTONode(cvcle-head());
20
          handleWTOComponents():
21
22
          cur_iter++:
```



```
Algorithm 12: Handle Cycle WTO
1 Function handleCvcleWTO(cvcle):
      cycle\_head := cycle \rightarrow head() \rightarrow node();
      increasing := true :
      cur_iter := 0 :
      while true do
          if cur_iter > Options :: WidenDelay() then
               prev_head_state := postAbsTrace[cvcle_head]:
              handleSingletonWTONode(cvcle-head()):
              cur_head_state := postAbsTrace[cycle_head];
              if increasing then
10
                   postAbsTrace[cycle_head] := prev_head_state.widen(cur_head_state);
                   if postAbsTrace[cvcle_head] == prev_head_state then
                       increasing := false;
                       continue:
                   postAbsTrace[cycle_head] := prev_head_state.narrow(cur_head_state);
                   if postAbsTrace[cvcle_head] == prev_head_state then
                      break:
          else
              handleSingletonWTONode(cvcle->head()):
20
          handleWTOComponents(cvcle-) aetWTOComponents()):
21
          cur_iter++:
22
```



```
Algorithm 12: Handle Cycle WTO
  Function handleCycleWTO(cycle):
      cvcle\_head := cvcle \rightarrow head() \rightarrow node() :
      increasing := true :
      cur iter := 0 :
      while true do
          if cur_iter > Options :: WidenDelay() then
               prev_head_state := postAbsTrace[cvcle_head]:
              handleSingletonWTONode(cvcle-head()):
              cur_head_state := postAbsTrace[cycle_head];
10
              if increasing then
                   postAbsTrace[cycle_head] := prev_head_state.widen(cur_head_state);
                   if postAbsTrace[cvcle_head] == prev_head_state then
12
                       increasing := false;
                      continue:
               else
15
                   postAbsTrace[cycle_head] := prev_head_state.narrow(cur_head_state);
                   if postAbsTrace[cvcle_head] == prev_head_state then
                      break:
18
          else
              handleSingletonWTONode(cvcle->head()):
20
          handleWTOComponents(cvcle-)getWTOComponents());
21
          cur iter++:
22
```



```
Algorithm 12: Handle Cycle WTO
  Function handleCycleWTO(cycle):
      cycle\_head := cycle \rightarrow head() \rightarrow node();
      increasing := true :
      cur_iter := 0 :
      while true do
          if cur_iter > Options :: WidenDelay() then
               prev_head_state := postAbsTrace[cycle_head];
              handleSingletonWTO(cycle -> head());
              cur_head_state := postAbsTrace[cycle_head];
              if increasing then
                   postAbsTrace[cycle_head] := prev_head_state.widen(cur_head_state);
                   if postAbsTrace[cvcle_head] == prev_head_state then
12
                       increasing := false;
                      continue:
              else
15
                   postAbsTrace[cycle_head] := prev_head_state.narrow(cur_head_state) ;
                   if postAbsTrace[cycle_head] == prev_head_state then
                      break:
18
              handleSingletonWTO(cycle -> head());
21
          handleWTOComponents(cvcle-)getWTOComponents());
          cur_iter++:
22
```

#### **Abstract Interpretation on SVFIR**

Week 9

Yulei Sui

School of Computer Science and Engineering University of New South Wales, Australia

#### **Abstract Interpretation on Pointer-Free SVFIR**

#### **Interval Domain**

- For simplicity, let's first consider abstract execution on a pointer-free language.
- This means there are no operations for memory allocation (like p = alloc<sub>o</sub>) or for indirect memory accesses (such as p = \*q or \*p = q).
- Here are the pointer-free SVFSTMTs and their C-like forms:

| SVFSTMT           | C-Like form                                                                         |
|-------------------|-------------------------------------------------------------------------------------|
| ConsStmt          | $\ell: p = c$                                                                       |
| COPYSTMT          | $\ell: \mathtt{p} = \mathtt{q}$                                                     |
| <b>BINARYSTMT</b> | $\ell:\mathtt{r}=\mathtt{p}\otimes\mathtt{q}$                                       |
| РніЅтмт           | $\ell: \mathtt{r} = \mathtt{phi}(\mathtt{p_1}, \mathtt{p_2}, \ldots, \mathtt{p_n})$ |
| SEQUENCE          | $\ell_1; \ell_2$                                                                    |
| BRANCHSTMT        | $\ell_1$ : if( $x < c$ ) then $\ell_2$ else $\ell_3$                                |

#### **Abstract Interpretation on Pointer-Free SVFIR**

#### Interval Domain

Let's use the *Interval* abstract domain to update  $\sigma$  based on the following rules for different SVFSTMT:

| SVFSTMT    | C-Like form                                                                             | Abstract Execution Rule                                                                                                                                                                                                                                                                                                                                               |
|------------|-----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CONSSTMT   | $\mid \; \ell : \mathtt{p} = \mathtt{c}$                                                | $\mid \ \sigma_{\underline{\ell}}(\mathtt{p}) := [\mathtt{c},\mathtt{c}]$                                                                                                                                                                                                                                                                                             |
| СОРҮЅТМТ   | $  \ell : p = q$                                                                        | $\mid \ \sigma_{\underline{\ell}}(\mathtt{p}) := \sigma_{\overline{\ell}}(\mathtt{q})$                                                                                                                                                                                                                                                                                |
| BINARYSTMT | $\big \ \ell: {\tt r} = {\tt p} \otimes {\tt q}$                                        | $\mid \ \sigma_{\underline{\ell}}(r) := \sigma_{\overline{\ell}}(p) \hat{\otimes} \sigma_{\overline{\ell}}(q)$                                                                                                                                                                                                                                                        |
| РніЅтмт    | $\big \ \ell: \mathtt{r} = \mathtt{phi}(\mathtt{p}_1,\mathtt{p}_2,\ldots,\mathtt{p}_n)$ | $\mid \ \sigma_{\underline{\ell}}(r) := \bigsqcup_{i=1}^n \sigma_{\overline{\ell}}(p_i)$                                                                                                                                                                                                                                                                              |
| SEQUENCE   | $ \ell_1;\ell_2 $                                                                       | $\mid \forall v \in \mathbb{V}, \sigma_{\overline{\ell_2}}(v) \sqsupseteq \sigma_{\underline{\ell_1}}(v)$                                                                                                                                                                                                                                                             |
| BRANCHSTMT | $\ell_1: if(x < c)  then  \ell_2  else  \ell_3$                                         | $\begin{array}{c c} \sigma_{\overline{\ell_2}}(x) := \sigma_{\underline{\ell_1}}(x) \sqcap [-\infty, c-1], \text{ if } \sigma_{\underline{\ell_1}}(x) \sqcap [-\infty, c-1] \neq \perp \\ \sigma_{\overline{\ell_3}}(x) := \sigma_{\underline{\ell_1}}(x) \sqcap [c, +\infty], \text{ if } \sigma_{\underline{\ell_1}}(x) \sqcap [c, +\infty] \neq \perp \end{array}$ |

### **Abstract Interpretation on BINARYSTMT**

| SVFSTMT                                                                                                                                                                                                                 | C-Like form | Abstract Execution Rule |  |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|-------------------------|--|
| $BINARYSTMT \; \big  \; \ell : \mathtt{r} = \mathtt{p} \otimes \mathtt{q} \; \big  \; \sigma_{\underline{\ell}}(\mathit{r}) := \sigma_{\overline{\ell}}(\mathit{p}) \hat{\otimes} \sigma_{\overline{\ell}}(\mathit{q})$ |             |                         |  |



## **Abstract Interpretation in the Presence of Pointers**

- SVFIR in the presence of pointers contain pointer-related statements including ADDRSTMT, GEPSTMT, LOADSTMT and STORESTMT.
- Abstract interpretation needs to be performed on a combined domain of intervals and addresses.

| SVFSTMT                   | C-Like form                                                                                             |
|---------------------------|---------------------------------------------------------------------------------------------------------|
| CONSSTMT                  | $\ell: p = c$                                                                                           |
| COPYSTMT                  | $\ell: \mathtt{p} = \mathtt{q}$                                                                         |
| <b>BINARYSTMT</b>         | $\ell: \mathtt{r} = \mathtt{p} \otimes \mathtt{q}$                                                      |
| РніЅтмт                   | $\ell: \mathtt{r} = \mathtt{phi}(\mathtt{p_1}, \mathtt{p_2}, \ldots, \mathtt{p_n})$                     |
| SEQUENCE                  | $\ell_1; \ell_2$                                                                                        |
| <b>BRANCHSTMT</b>         | $\ell_1$ : if( $x < c$ ) then $\ell_2$ else $\ell_3$                                                    |
| <b>A</b> DDR <b>S</b> TMT | $\ell: \mathtt{p} = \mathtt{alloc}$                                                                     |
| GEPSTMT                   | $\ell: \mathtt{p} = \mathtt{\&}(\mathtt{q} 	o \mathtt{i}) \; or  \mathtt{p} = \mathtt{\&q}[\mathtt{i}]$ |
| LOADSTMT                  | $\ell: p = *q$                                                                                          |
| STORESTMT                 | $\ell: *p = q$                                                                                          |

### **Combined Analysis**



## **Combined Analysis Using Discrete Values**



## **Combined Analysis Using Interval Values**



#### **Abstract Interpretation Over a Combined Domain**



```
p = malloc(m*sizeof(int)); // p points to an array of size m
q = malloc(n*sizeof(int)); // g points to an array of size n
```

 $\mathbf{m} = \mathbf{r}[\mathbf{i}];$ 

- The discrete values for points-to set of p, q depend on interval values of m and n.
- The interval value of m depends on the pointer aliasing between p, q and &r[i].
- Cyclic dependency between two domains requiring a bi-directional refinement. (variables highlighted in blue and red denote the discrete values and interval values dependent),

### **Abstract Interpretation Over a Combined Domain**



We require a combination of interval and memory address domains to precisely and efficiently perform abstract execution on SVFIR in the presence of pointers.

Precise Sparse Abstract Execution via Cross-Domain Interaction, ICSE 2024

## **Abstract Interpretation over Interval and MemAddress Domains**

A Combined Domain of Intervals and Discrete Memory Addresses



Interval domain for scalar variables



MemAddress domain for discrete memory address values

# **SVF Program Variables (SVFVar)**

| Domain                                                                  | Meanings                                                                                                           |
|-------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|
| $\mathbb{V} = \mathbb{P} \cup \mathbb{O}$                               | Program Variables                                                                                                  |
| $\mathbb{P}$                                                            | Top-level variables (scalars and pointers)                                                                         |
| $\mathbb{O}=\mathbb{S}\cup\mathbb{G}\cup\mathbb{H}\cup\mathbb{C}$       | Memory Objects (constant data, stack, heap, global)                                                                |
|                                                                         | (function objects are considered as global objects)                                                                |
| $o \in (\mathbb{S} \cup \mathbb{G} \cup \mathbb{H})$                    | A single (base) memory object                                                                                      |
| $o_i \in (\mathbb{S} \cup \mathbb{G} \cup \mathbb{H}) 	imes \mathbb{P}$ | i-th subfield/element of an (aggregate) object                                                                     |
| $\mathbb{C}$                                                            | Constant data (e.g., numbers and strings)                                                                          |
| $\ell \in \mathbb{L}$                                                   | Statements labels                                                                                                  |
|                                                                         | $V = P \cup O$ $P$ $O = S \cup G \cup H \cup C$ $o \in (S \cup G \cup H)$ $o_i \in (S \cup G \cup H) \times P$ $C$ |

#### **Abstract Trace for The Combined Domain**

- For top-level variables  $\mathbb{P}$ , we use  $\sigma \in \mathbb{L} \times \mathbb{P} \to \mathit{Interval} \times \mathit{MemAddress}$  to track the memory addresses or interval values of these variables.
- For memory objects  $\mathbb{O}$ , we use  $\delta \in \mathbb{L} \times \mathbb{O} \to \mathit{Interval} \times \mathit{MemAddress}$  to track their abstract values

|                  | Notation                    | Domain                                                                       | Data Structure Implementation |
|------------------|-----------------------------|------------------------------------------------------------------------------|-------------------------------|
| Abstract trace   | σ                           | $\mathbb{L} 	imes \mathbb{P} 	o$ Interval $	imes$ MemAddress                 | preAbsTrace, postAbsTrace     |
|                  | δ                           | $\mathbb{L} 	imes \mathbb{O} 	o \mathit{Interval} 	imes \mathit{MemAddress}$ | prorison acc, peculiac nacc   |
| Abstract state   | $\sigma_{L}$                | $\mathbb{P} 	o \mathit{Interval} 	imes \mathit{MemAddress}$                  | AbstractState.varToAbsVal     |
| / ibotract ctate | $\delta_L$                  | $\mathbb{O} 	o \mathit{Interval} 	imes \mathit{MemAddress}$                  | AbstractState.addrToAbsVal    |
| Abstract value   | $\delta_L(p)$ $\delta_L(o)$ | Interval × MemAddress                                                        | AbstractValue                 |

- *Interval* is used for tracking the interval value of **scalar variables**  $\mathbb{P}$ .
- MemAddress is used for tracking the memory addresses of memory address variables 

  .

# Implementation of Abstract Trace and State in Assignment-3

- For a program point *L*, *AEState* consists of:
  - Top-level variable,  $varToAbsVal : \sigma_I \in \mathbb{P} \to Interval \times MemAddress$
  - Memory object,  $addrToAbsVal : \delta_L \in \mathbb{O} \rightarrow Interval \times MemAddress$
- The abstract trace has two maps, preAbsTrace and postAbsTrace, which
  maintains abstract states before and after each ICFGNode respectively.
  - For an ICFGNode  $\ell$ ,  $preAbsTrace(\ell)$  retrieves the abstract state  $\langle \sigma_{\overline{\ell}}, \delta_{\overline{\ell}} \rangle$ , and  $postAbsTrace(\ell)$  represents  $\langle \sigma_{\ell}, \delta_{\ell} \rangle$ .
  - For each abstract state  $\langle \sigma_{\overline{\ell}}, \delta_{\overline{\ell}} \rangle$  we use as [varId] to operate  $\sigma_{\underline{\ell}}$  and use storeValue and loadValue to operate  $\delta_{\ell}$ .
  - Each variable's AbstractValue (e.g., as [VarId]) is initialized as ⊥ in an AbstractState before assigned a new value. An uninitialized variable is assigned with ⊤ for over-approximation.
  - Each AbstractValue (e.g., as [VarId]) is a 2-element tuple consisting of an interval as [VarId] .getInterval() and an address set as [Varid] .getAddrs().
  - Print out SVFVars and their AbstractValues in an AbstractState by invoking as.printAbstractState()

#### **Abstract Trace for The Combined Domain**



#### **Abstract Execution Rules on SVFIR in the Presence of Pointers**

Now let's use the *Interval*  $\times$  *MemAddress* abstract domain to update  $\sigma$  and  $\delta$  based on the following rules for different SVFSTMT:

| SVFSTMT    | C-Like form                                                                                       | Abstract Execution Rule                                                                                                                                                                                                                                                                                                              |
|------------|---------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CONSSTMT   | $\ell: \mathtt{p} = \mathtt{c}$                                                                   | $\mid \ \sigma_{\underline{\ell}}(\mathtt{p}) := \langle [\mathtt{c},\mathtt{c}], ot  angle$                                                                                                                                                                                                                                         |
| COPYSTMT   | $\ell: \mathtt{p} = \mathtt{q}$                                                                   | $\mid \; \sigma_{\underline{\ell}}(\mathtt{p}) := \sigma_{\overline{\ell}}(\mathtt{q})$                                                                                                                                                                                                                                              |
| BINARYSTMT | $\ell: \mathtt{r} = \mathtt{p} \otimes \mathtt{q}$                                                | $\mid \sigma_{\underline{\ell}}(r) := \sigma_{\overline{\ell}}(p) \hat{\otimes} \sigma_{\overline{\ell}}(q)$                                                                                                                                                                                                                         |
| СмРЅтмт    | $\ell: \mathtt{r} = \mathtt{p} \odot \mathtt{q}$                                                  | $\mid \sigma_{\underline{\ell}}(r) := \sigma_{\overline{\ell}}(p) \hat{\odot} \sigma_{\overline{\ell}}(q)$                                                                                                                                                                                                                           |
| РніЅтмт    | $\ell: \mathtt{r} = \mathtt{phi}(p_1, p_2, \ldots, p_n)$                                          | $\mid \sigma_{\underline{\ell}}(r) := \bigsqcup_{i=1}^n \sigma_{\overline{\ell}}(p_i)$                                                                                                                                                                                                                                               |
| BRANCHSTMT | $\ell_1:$ if( $x < c$ ) then $\ell_2$ else $\ell_3$                                               | $\sigma_{\overline{\ell_2}}(x) := \sigma_{\underline{\ell_1}}(x) \sqcap [-\infty, c-1], \text{ if } \sigma_{\underline{\ell_1}}(x) \sqcap [-\infty, c-1] \neq \bot$ $\sigma_{\underline{\ell_3}}(x) := \sigma_{\underline{\ell_1}}(x) \sqcap [c, +\infty], \text{ if } \sigma_{\underline{\ell_1}}(x) \sqcap [c, +\infty] \neq \bot$ |
| SEQUENCE   | $\ell_1;\ell_2$                                                                                   | $\mid  \delta_{\overline{\ell_2}} \sqsupseteq \delta_{\underline{\ell_1}}, \sigma_{\overline{\ell_2}} \sqsupseteq \sigma_{\underline{\ell_1}}$                                                                                                                                                                                       |
| ADDRSTMT   | $\ell: p = \mathtt{alloc}_{\mathtt{o_i}}$                                                         | $\mid \sigma_{\underline{\ell}}(\mathtt{p}) := \langle \bot, \{o_i\} \rangle$                                                                                                                                                                                                                                                        |
| GEPSTMT    | $\ell: \mathtt{p} = \&(\mathtt{q} \to \mathtt{i}) \ \ or \ \mathtt{p} = \&\mathtt{q}[\mathtt{i}]$ | $ \mid \sigma_{\underline{\ell}}(\mathtt{p}) := \bigsqcup_{\mathtt{o} \in \gamma(\sigma_{\overline{\ell}}(\mathtt{q}))} \bigsqcup_{j \in \gamma(\sigma_{\overline{\ell}}(\mathtt{i}))} \langle \bot, \{\mathtt{o.fld}_j\} \rangle $                                                                                                  |
| LOADSTMT   | $\ell: \mathtt{p} = *\mathtt{q}$                                                                  | $\sigma_{\underline{\ell}}(\mathbf{p}) := \bigsqcup_{o \in \{o \mid o \in \sigma_{\overline{\ell}}(q)\}} \delta_{\overline{\ell}}(o)$                                                                                                                                                                                                |
| STORESTMT  | $\ell:*p=q$                                                                                       | $\mid \ \delta_{\underline{\ell}} := (\{ o \mapsto \sigma_{\overline{\ell}}(\mathtt{q})   o \in \gamma(\sigma_{\overline{\ell}}(\mathtt{p})) \} \sqcup \delta_{\underline{\ell}})$                                                                                                                                                   |

## **Abstract Interpretation on CONSSTMT**

| SVFSTMT  | C-Like form                     | Abstract Execution Rule                                                                   |
|----------|---------------------------------|-------------------------------------------------------------------------------------------|
| CONSSTMT | $\ell: \mathtt{p} = \mathtt{c}$ | $\sigma_{\underline{\ell}}(\mathtt{p}) := \langle [\mathtt{c},\mathtt{c}], \perp \rangle$ |



#### Algorithm 13: Abstract Execution Rule for CONSSTMT

```
1 Function updateStateOnAddr(addr):
```

```
node = addr → getICFGNode();
```

- as = getAbsStateFromTrace(node);
- 4 initObjVar(as,SVFUtil :: cast⟨ObjVar⟩(addr→getRHSVar()));
- $= as[addr \rightarrow getLHSVarID()] = as[addr \rightarrow getRHSVarID()];$

## **Abstract Interpretation on COPYSTMT**

| SVFSTMT  | C-Like form                     | Abstract Execution Rule                                                         |
|----------|---------------------------------|---------------------------------------------------------------------------------|
| СОРУЅТМТ | $\ell: \mathtt{p} = \mathtt{q}$ | $\sigma_{\underline{\ell}}(\mathtt{p}) := \sigma_{\overline{\ell}}(\mathtt{q})$ |



#### Algorithm 14: Abstract Execution Rule for COPYSTMT

#### **Abstract Interpretation on BINARYSTMT**

| SVFSTMT    | C-Like form                                        | Abstract Execution Rule                                                                                 |
|------------|----------------------------------------------------|---------------------------------------------------------------------------------------------------------|
| BINARYSTMT | $\ell: \mathtt{r} = \mathtt{p} \otimes \mathtt{q}$ | $\sigma_{\underline{\ell}}(r) := \sigma_{\overline{\ell}}(p) \hat{\otimes} \sigma_{\overline{\ell}}(q)$ |



# Algorithm 15: Abstract Execution Rule for BINARYSTMT

```
| Function updateStateOnBinary/binary):
| Tonction updateStateOnBinary/binary):
| Inde = binary \rightarrow getIOFGNode();
| as = getAbsStateFromTrace(node);
| op0 = binary \rightarrow getDpVarID(1);
| op1 = binary \rightarrow getDpVarID(1);
| res = binary \rightarrow getResID();
| as[res] = as[op0] \&rightarrow as[op1]
```

Operands op0 and op1 are assumed to be properly initialized (no uninitialized variables or randomization).

## **Abstract Interpretation on CMPSTMT**

| SVFSTMT | C-Like form                                       | Abstract Execution Rule                                                                                 |
|---------|---------------------------------------------------|---------------------------------------------------------------------------------------------------------|
| СмРЅтмт | $\ell : \mathbf{r} = \mathbf{p} \odot \mathbf{q}$ | $\sigma_{\underline{\ell}}(r) := \sigma_{\overline{\ell}}(p) \hat{\otimes} \sigma_{\overline{\ell}}(q)$ |



# Algorithm 16: Abstract Execution Rule for CMPSTMT

Operands op0 and op1 are assumed to be properly initialized (no uninitialized variables or randomization).

## **Abstract Interpretation on PhiStmt**

| SVFSTMT | C-Like form                                                                              |   | Abstract Execution Rule                                                           |
|---------|------------------------------------------------------------------------------------------|---|-----------------------------------------------------------------------------------|
| РніЅтмт | $\big \ \ell: \texttt{r} = \texttt{phi}(\texttt{p}_1, \texttt{p}_2, \dots, \texttt{p}_r$ | ) | $\sigma_{\underline{\ell}}(r) := \bigsqcup_{i=1}^n \sigma_{\overline{\ell}}(p_i)$ |



#### 

## **Abstract Interpretation on Address**





#### Algorithm 18: Abstract Execution Rule for ADDRSTMT

## **Abstract Interpretation on GEPSTMT**

| SVFSTMT   C-Like form                                                                                                                               | Abstract Execution Rule                                                                                                                                                                                                               |
|-----------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| $\label{eq:general_general} GEPSTMT \ \ \big  \ \ \ell : \mathtt{p} = \&(\mathtt{q} \to \mathtt{i}) \ \ or \ \mathtt{p} = \&\mathtt{q}[\mathtt{i}]$ | $ \mid \ \sigma_{\underline{\ell}}(\mathtt{p}) := \bigsqcup_{\mathtt{o} \in \gamma(\sigma_{\overline{\ell}}(\mathtt{q}))} \bigsqcup_{j \in \gamma(\sigma_{\overline{\ell}}(\mathtt{i}))} \langle \bot, \{\mathtt{o.fld}_j\} \rangle $ |



# Algorithm 19: Abstract Execution Rule for GEPSTMT

1 Function updateStateOnGep(gep):

- $\mathtt{lhs} = \mathtt{gep} \! o \! \mathtt{getLHSVarID}();$
- as[lhs] = as.getGepObjAddrs(rhs, as.getElementIndex(gep));;

## **Abstract Interpretation on LOADSTMT**

| SVFSTMT  | C-Like form    | Abstract Execution Rule                                                                                                      |
|----------|----------------|------------------------------------------------------------------------------------------------------------------------------|
| LOADSTMT | $\ell: p = *q$ | $\sigma_{\underline{\ell}}(p) := \bigsqcup_{o \in \{o \mid o \in \sigma_{\overline{\ell}}(q)\}} \delta_{\overline{\ell}}(o)$ |



## **Abstract Interpretation on STORESTMT**

| SVFSTMT   | C-Like form                   | Abstract Execution Rule                                                                                                                                                           |
|-----------|-------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| STORESTMT | $\ell:*\mathtt{p}=\mathtt{q}$ | $\mid \delta_{\underline{\ell}} := (\{o \mapsto \sigma_{\overline{\ell}}(\mathtt{q}) \mid o \in \gamma(\sigma_{\overline{\ell}}(\mathtt{p}))\} \sqcup \delta_{\underline{\ell}})$ |



# Algorithm 21: Abstract Execution Rule for STORESTMT

1 Function updateStateOnStore(store):

rhs = store → getRHSVarID(); lhs = store → getLHSVarID();

as.storeValue(lhs, as[rhs])

```
extern void assert(int);
int main(){
    int a = 0;
    while(a < 10) {
        a++;
    }
    assert(a = 10);
    return 0;
}</pre>
```

```
Compile to LLVM IR
```

```
define dso local i32 @main() {
entry:
  br label %while.cond
while.cond:
  %a.0 = phi i32 [ 0, %entry ], [ %inc, %while.body ]
  %cmp = icmp slt i32 %a.0. 10
  br i1 %cmp. label %while.body. label %while.end
while.body:
  %inc = add nsw i32 %a.0. 1
  br label %while.cond.
while end:
  %cmp1 = icmp eq i32 %a.0. 10
  %conv = zext i1 %cmp1 to i32
  call void @assert(i32 noundef %conv)
  ret i32 0
```

LLVM IR



#### **Before Entering Loop**

GloballCFGNode0
CopyStmt: [Var1 <-- Var0]
ptr null { constant data }
ConsStmt: [Var17 <-- Var18]
i32 1 { constant data }
ConsStmt: [Var14 <-- Var15]
i32 10 { constant data }
ConsStmt: [Var10 <-- Var11]
i32 0 { constant data }
AddrStmt: [Var4 <-- Var5]
Function: main
AddrStmt: [Var2 <-- Var24]
Function: assert

#### FunEntryICFGNode1 {fun: main}

IntraICFGNode2 (fun: main) BranchStmt: [Unconditional branch] Successor 0 ICFGNode3 br label %while.cond

**ICFG** 

Algorithm 22: Abstract execution guided by WTO

| Function handleStatement(\ell):
| tmpAS := preAbsTrace[\ell];
| if \ell is CONSSTMT or ADDRSTMT then
| updateStateOnAddr(\ell);
| else if \ell is COPYSTMT then
| updateStateOnCopy(\ell);
| ...;

postAbsTrace[ICFGNode0].varToAbsVal:

| 10000  | . accirci circaccii rai reriacciai r |
|--------|--------------------------------------|
| SVFVar | AbstractValue(Interval, MemAddress)  |
| Var0   | $\langle \perp, \{0x7f00\} \rangle$  |
| Var1   | $\langle \perp, \{0x7f00\} \rangle$  |
| Var18  | $\langle [1,1], \perp  angle$        |
| Var17  | $\langle [1,1], \perp  angle$        |
| Var14  | $\langle [10,10], \perp  angle$      |
| Var15  | $\langle [10,10], \perp  angle$      |
| Var10  | $\langle [0,0], \perp  angle$        |
| Var11  | $\langle [0,0], \perp  angle$        |
|        |                                      |

Print out the table via as.printAbstractState(). The AbstractValue can either be an interval or addresses, but not both!

Widen Delay Phase (cur\_iter is 0)



```
Algorithm 12: Handle Cycle WTO
  Function handleCycleWTO(cycle):
      cycle head := cycle -> head() -> node() :
      increasing := true :
      cur.iter := 0 :
      while true do
          // cur_iter ≡ 0. Options :: WidenDelay() ≡ 2
          if cur_iter > Options :: WidenDelay() then
              prev_head_state := postAbsTrace[cvcle_head];
              handleSingletonWTO(cvcle→head()):
              cur head state := postAbsTrace[cycle head]:
10
              if increasing then
11
                  postAbsTrace[cvcle_head] := prev_head_state.widen(cur_head_state) :
12
                  if postAbsTrace[cvcle_head] == prev_head_state then
13
                      increasing := false;
                      continue;
15
16
                  postAbsTrace[cvcle_head] := prev_head_state.narrow(cur_head_state) :
17
                  if postAbsTrace[cycle head] == prev_head_state then
18
                      break:
20
          else
              handleSingletonWTO(cvcle -> head());
21
          handleWTOComponents(cycle-aetWTOComponents()):
22
23
          cur_iter++:
```

Widen Delay Phase (cur\_iter is 0)



```
Algorithm 12: Handle Cycle WTO
1 Function handleCvcleWTO(cvcle):
      cycle_head := cycle \rightarrow head() \rightarrow node();
      increasing := true :
      cur_iter := 0 :
      while true do
          // cur iter = 0. Options ·· WidenDelay() = 2:
          if cur_iter > Options :: WidenDelay() then
               prev_head_state := postAbsTrace[cycle_head];
8
               handleSingletonWTO(cycle-head()):
              cur_head_state := postAbsTrace[cycle_head];
10
              if increasing then
11
                   postAbsTrace[cvcle_head] := prev_head_state.widen(cur_head_state) :
12
                   if postAbsTrace[cycle head] == prev_head_state then
13
                       increasing := false:
                       continue:
16
                   postAbsTrace[cvcle_head] := prev_head_state.narrow(cur_head_state);
17
                   if postAbsTrace[cycle_head] == prev_head_state then
18
19
                       break:
20
              handleSingletonWTO(cvcle-head());
21
22
          handleWTOComponents(cvcle-) aetWTOComponents());
23
          cur_iter++:
```

Widen Delay Phase (cur\_iter is 1)



```
Algorithm 12: Handle Cycle WTO
  Function handleCycleWTO(cycle):
      cycle head := cycle -> head() -> node() :
      increasing := true :
      cur.iter := 0 :
      while true do
          // cur_iter ≡ 1. Options :: WidenDelay() ≡ 2:
          if cur_iter > Options :: WidenDelay() then
              prev_head_state := postAbsTrace[cvcle_head];
 8
              handleSingletonWTO(cvcle→head()):
              cur head state := postAbsTrace[cycle head]:
10
              if increasing then
11
                  postAbsTrace[cvcle_head] := prev_head_state.widen(cur_head_state) :
12
                  if postAbsTrace[cvcle_head] == prev_head_state then
13
                      increasing := false;
                      continue;
15
16
                  postAbsTrace[cvcle_head] := prev_head_state.narrow(cur_head_state) :
17
                  if postAbsTrace[cycle head] == prev_head_state then
18
                      break:
20
          else
              handleSingletonWTO(cvcle -> head());
21
          handleWTOComponents(cycle-aetWTOComponents()):
22
23
          cur_iter++:
```

Widen Delay Phase (cur\_iter is 1)



```
Algorithm 12: Handle Cycle WTO
  Function handleCycleWTO(cycle):
      cycle head := cycle -> head() -> node() :
      increasing := true :
      cur.iter := 0 :
      while true do
          // cur_iter ≡ 1. Options :: WidenDelay() ≡ 2:
          if cur_iter > Options :: WidenDelay() then
              prev_head_state := postAbsTrace[cvcle_head];
 8
              handleSingletonWTO(cvcle→head()):
              cur head state := postAbsTrace[cycle head]:
10
              if increasing then
11
                  postAbsTrace[cvcle_head] := prev_head_state.widen(cur_head_state) :
12
                  if postAbsTrace[cvcle_head] == prev_head_state then
13
                      increasing := false;
                      continue;
15
16
                  postAbsTrace[cvcle_head] := prev_head_state.narrow(cur_head_state) :
17
                  if postAbsTrace[cycle head] == prev_head_state then
18
                      break:
20
          else
              handleSingletonWTO(cvcle-head());
21
          handleWTOComponents(cvcle-)getWTOComponents()):
22
23
          cur_iter++:
```

Widen Phase (cur\_iter is 2)



```
Algorithm 12: Handle Cycle WTO
  Function handleCvcleWTO(cvcle):
      cvcle_head := cvcle -> head() -> node() :
      increasing := true :
      cur iter := 0 :
      while true do
          // cur iter = 2. Options ·· WidenDelay() = 2
          if cur_iter > Options :: WidenDelay() then
              prev_head_state := postAbsTrace[cycle_head];
              handleSingletonWTO(cvcle-head()):
0
              cur_head_state := postAbsTrace[cycle_head];
10
              if increasing then
11
                  postAbsTrace[cvcle_head] := prev_head_state.widen(cur_head_state);
12
                  if postAbsTrace[cycle head] == prev_head_state then
13
                      increasing := false:
                      continue:
16
                  postAbsTrace[cvcle_head] := prev_head_state.narrow(cur_head_state);
17
                  if postAbsTrace[cycle_head] == prev_head_state then
18
                      break:
20
              handleSingletonWTO(cvcle-head());
          handleWTOComponents(cvcle-) getWTOComponents());
22
          cur_iter++:
23
```

Widen Phase (cur\_iter is 2)



```
Algorithm 12: Handle Cycle WTO
  Function handleCycleWTO(cycle):
      cycle head := cycle -> head() -> node() :
      increasing := true :
      cur.iter := 0 :
      while true do
          // cur_iter ≡ 2. Options :: WidenDelay() ≡ 2
          if cur_iter > Options :: WidenDelay() then
              prev_head_state := postAbsTrace[cvcle_head];
 8
              handleSingletonWTO(cvcle→head()):
              cur head state := postAbsTrace[cycle head]:
10
              if increasing then
11
                  postAbsTrace[cvcle_head] := prev_head_state.widen(cur_head_state) :
12
                  if postAbsTrace[cvcle_head] == prev_head_state then
13
                      increasing := false;
                      continue;
15
16
                  postAbsTrace[cvcle_head] := prev_head_state.narrow(cur_head_state) :
17
                  if postAbsTrace[cycle head] == prev_head_state then
18
                      break:
20
          else
              handleSingletonWTO(cvcle-head());
21
          handleWT0Components(cvcle-aetWTOComponents())
22
23
          cur_iter++:
```

#### Widen Phase Fixed Point



```
Algorithm 12: Handle Cycle WTO
  Function handleCycleWTD(cycle):
      cycle head := cycle -> head() -> node() :
       increasing := true ;
       cur iter := 0:
       while true do
          // cur_iter ≡ 3. Options :: WidenDelay() ≡ 2
           if cur_iter > Options :: WidenDelay() then
              prev_head_state := postAbsTrace[cvcle_head];
              handleSingletonWTO(cvcle->head());
 9
              cur_head_state := postAbsTrace[cycle_head];
10
              if increasing then
11
                  postAbsTrace[cycle_head] := prev_head_state.widen(cur_head_state);
12
                  if postAbsTrace[cvcle_head] == prev_head_state then
13
                      increasing := false;
                       continue:
16
17
                  postAbsTrace[cvcle_head] := prev_head_state.narrow(cur_head_state);
18
                  if postAbsTrace[cvcle_head] == prev_head_state then
                      break:
           موام
20
              handleSingletonWTO(cvcle-head());
21
          handleWTOComponents(cvcle-) getWTOComponents());
22
          cur_iter++:
23
```

#### **Narrow Phase**



```
Algorithm 12: Handle Cycle WTO
Function handleCycleWTD(cycle):
    cycle head := cycle -> head() -> node() :
    increasing := true ;
    cur iter := 0 :
    while true do
        // cur_iter ≡ 3. Options :: WidenDelay() ≡ 2
        if cur iter > Options .. WidenDelay() then
            prev_head_state := postAbsTrace[cycle_head];
            handleSingletonWTO(cycle \rightarrow head()) // increasing \equiv false;
            cur_head_state := postAbsTrace[cycle_head];
            if increasing then
                postAbsTrace[cycle_head] := prev_head_state.widen(cur_head_state);
                if postAbsTrace[cycle_head] == prev_head_state then
                    increasing := false:
                    continue:
                postAbsTrace[cvcle_head] := prev_head_state.narrow(cur_head_state) :
                if postAbsTrace[cycle_head] == prev_head_state then
                    break :
            handleSingletonWTO(cvcle-head());
        handleWTOComponents(cycle-) getWTOComponents()):
        cur_iter++:
```

#### Narrow Phase



```
Algorithm 12: Handle Cycle WTO
  Function handleCycleWTO(cycle):
      cycle head := cycle -> head() -> node() :
      increasing := true :
      cur.iter := 0 :
      while true do
          // cur_iter ≡ 3. Options :: WidenDelay() ≡ 2
          if cur_iter > Options :: WidenDelay() then
              prev_head_state := postAbsTrace[cycle_head];
 8
              handleSingletonWTO(cvcle→head()):
              cur head state := postAbsTrace[cycle head]:
10
              if increasing then
11
                  postAbsTrace[cvcle_head] := prev_head_state.widen(cur_head_state) :
12
                  if postAbsTrace[cvcle_head] == prev_head_state then
13
                      increasing := false;
                      continue;
15
16
                  postAbsTrace[cvcle_head] := prev_head_state.narrow(cur_head_state) :
                  if postAbsTrace[cycle head] == prev_head_state then
18
                      break:
          else
              handleSingletonWTO(cvcle-head());
21
          handleWTOComponents(cvcle-) aetWTOComponents()):
22
23
          cur_iter++:
```

#### **Narrow Phase Fixed Point**



```
Algorithm 12: Handle Cycle WTO
  Function handleCvcleWTD(cvcle):
      cvcle_head := cvcle -> head() -> node() :
      increasing := true ;
      cur iter := 0 :
      while true do
          // cur_iter ≡ 4. Options :: WidenDelay() ≡ 2
          if cur_iter > Options :: WidenDelay() then
              prev_head_state := postAbsTrace[cycle_head];
9
              handleSingletonWTO(cvcle > head()) // increasing = false:
              cur_head_state := postAbsTrace[cvcle_head]:
10
             if increasing then
11
                  postAbsTrace[cvcle_head] := prev_head_state.widen(cur_head_state);
12
                  if postAbsTrace[cycle_head] == prev_head_state then
13
                     increasing := false:
                      continue:
15
              else
16
                  postAbsTrace(cycle_head) := prev_head_state.narrow(cur_head_state) :
17
                  if postAbsTrace[cvcle_head] == prev_head_state then
                     break:
20
             handleSingletonWTO(cvcle->head()):
21
          handleWTOComponents()):
22
23
          cur_iter++:
```

#### **After Exiting Loop**



