## Section: New Results

### Control-flow analysis

Participants : Frédéric Besson, Thomas Jensen, Tiphaine Turpin.

Control-flow analysis (CFA) is a fundamental static analysis on which many other analyses rely. As such it has been the focus of researchers throughout the past two decades.

#### A Calculational Approach to Control-Flow Analysis by Abstract Interpretation

Surprisingly, very few formulate CFA within the classical abstract interpretation methodology. Such a formulation of CFA is advantageous in that it is constructive: Rather than proving CFA safe a priori, CFA is induced by systematically composing and calculating with Galois connections. Unfortunately it has remained an open problem of how to exploit Galois connections and widenings for CFA since its formulation by Nielson and Nielson [72] . The work [26] represents a complete answer to this question for 0-CFA of higher-order functional languages.

We present a derivation of a control-flow analysis by abstract interpretation. Our starting point is a transition system semantics defined as an abstract machine for a small functional language in continuation-passing style. We obtain a Galois connection for abstracting the machine states by composing Galois connections, most notable an independent-attribute Galois connection on machine states and a Galois connection induced by a closure operator associated with a constituent-parts relation on environments. We calculate abstract transfer functions by applying the state abstraction to the collecting semantics, resulting in a novel characterization of a standard demand-driven control-flow analysis – namely 0-CFA.

#### CPA beats oo-CFA

There is a generic framework for defining context-sensitive
control-flow analyses. Various notions of contexts have been proposed
allowing to trade time for speed. We have formally established a
conjecture of Grove *et al.* , [56] stating
that Agesen's Cartesian Product Algorithm (CPA) is strictly more
precise than oo-CFA [15] . This result holds despite
the fact that (contrary to CPA) computing oo-CFA would require
an infinite number of contexts. For the sake of the proof we define a
core object-oriented language and prove correct a generic
control-flow analysis. This generic analysis is then instantiated
using the CPA and oo-CFA contexts. The proof consists in
showing that the concrete states approximated by CPA are a subset of
those computed by oo-CFA.

#### BDD-based computation of control-flow analyses

datalog and BDDS have been proposed to compute the results of context-sensitive control-flow analyses [41] , [85] . We are working on lifting the expressiveness restrictions imposed by datalog while retaining the efficiency of BDDs. To reach this goal, we are developing a theory for computing the least-fixpoint semantics of prolog programs using BDD operations [29] . Over datalog , prolog has the advantage of providing first-order terms thus allowing for a more natural specification of control-flow analyses. The implementation and evaluation of a prototype based on this theory is in progress.