Class Tu/Th 9:00 - 10:20 a.m. in PH A18B
Recitation F 9:30 - 10:20 a.m. in GHC 4211
Spring 2018
12 units
aldrich and clegoues at cs dot cmu dot edu
WEH 4216 and 5117
Office hours, Le Goues: Wed, 2:30-3:30, or by appointment
Office hours, Aldrich: Thu, 2-3pm, or by appointment
For appointments outside of office hours, email the instructor.
Course Description
This course covers both foundations and practical aspects of the automated analysis of programs, which is becoming increasingly critical to find software errors and assure program correctness. The theory of abstract interpretation captures the essence of a broad range of program analyses and supports reasoning about their correctness. Building on this foundation, the course will describe program representations, data flow analysis, alias analysis, interprocedural analysis, dynamic analysis, and symbolic execution. Through assignments and projects, students will design and implement practical analysis tools that find bugs and verify properties of software.
New: For 2018, this course fulfills the Logic and Languages constrained elective category for the Computer Science major.
Why take this course?
- Explore the meaning of programs. One of the most basic questions that programmers ask is "What does this program do?" Program analysis is all about understanding programs--automatically!
- Learn deep theory. The theory of abstract interpretation stands with type theory as the most important and beautiful foundations of programming languages. Abstract interpretation is the fundamental theory of abstraction: how to precisely relate the concrete execution of a program to an abstraction of that execution. Naturally, this has many applications, which brings us to the third reason to take this course:
- Build awesome tools. Using program analysis, you can build tools that find bugs, prove important security and correctness properties, automatically generate useful tests, and much more--and you'll have a chance to do all of this in course assignments and a project that you can design yourself (if you want).
Course Syllabus and Policies
The syllabus covers course learning objectives, supplemental textbooks, assessments, late work policy, and policies.Schedule
| Date | Topic and Notes | Additional Reading or Code | Assignments Due |
|---|---|---|---|
| Jan 16 | Introduction, Program Representation, and Syntactic Analysis (notes, slides, in-class exercises) |
PPA ch. 1 (optional) | |
| Jan 18 | Program Semantics (notes, in-class exercises) |
||
| Jan 19 | RecitationSyntactic Analysis in Soot | 17-355-lab-1.zip | |
| Jan 23 | Dataflow Analysis and Abstract Interpretation (notes, in-class exercises) |
PPA ch. 2 (optional) |
|
| Jan 25 | Dataflow Analysis and Abstract Interpretation, continued (in-class exercises) | PPA ch. 6 (optional) | hw1 hw1.pdf, hw1.zip |
| Jan 26 | RecitationSemantics | ||
| Jan 30 | Dataflow Analysis examples (notes, in-class exercises) | ||
| Feb 1 | Dataflow Analysis examples (continued) | hw2 hw2.pdf, mathpartir.zip | |
| Feb 2 | recitationSpecifying Dataflow Analysis | ||
| Feb 6 | Dataflow Analysis termination and complexity (notes, in-class-exercises) | PPA ch. 4 (optional) | |
| Feb 8 | Widening and collecting (notes) | hw3 hw3.pdf | |
| Feb 9 | RecitationImplementing dataflow analysis | ||
| Feb 13 | Interprocedural analysis (notes) | ||
| Feb 15 | Context-sensitive interprocedural analysis (notes are continued) | hw4 hw4.pdf, hw4.zip | |
| Feb 16 | RecitationProving analyses correct | ||
| Feb 20 | Pointer analysis (notes) | ||
| Feb 22 | OO Call Graph Construction (notes) | hw5 hw5.pdf | |
| Feb 23 | RecitationInterprocedural analysis in Soot | ||
| Feb 27 | Control Flow Analysis (notes) | ||
| Mar 1 | Hoare Logic (notes) | hw6 checkpoint due hw6.pdf | |
| Mar 2 | RecitationMidterm review | ||
| Mar 6 | Hoare Logic | full hw6 due | |
| Mar 8 | Midterm Exam | ||
| Mar 9 | no recitationMid-Semester Break | ||
| Mar 20 | Satisfiability Modulo Theories (notes) | ||
| Mar 22 | Program synthesis (notes) | ||
| Mar 23 | recitation SMT solvers | ||
| Mar 27 | Guest lecture: Analysis at Facebook | hw7 hw7.pdf | |
| Mar 29 | Program synthesis, continued | ||
| Mar 30 | Recitation | ||
| Apr 3 | Symbolic execution (notes) | Optional reading: Mixing Type Checking and Symbolic Execution | |
| Apr 5 | Concolic execution and test generation (notes, slides on Prefix) | hw8 hw8.pdf | |
| Apr 6 | Recitation | ||
| Apr 10 | Model Checking (notes by Clarke et al., slides) | project proposal due | |
| Apr 12 | Counterexample-Guided Abstraction Refinement in Blast (slides) | Checking Memory Safety with Blast | hw9 hw9.pdf |
| Apr 13 | Recitation | ||
| Apr 17 | Program Repair | ||
| Apr 19 | No lecture: Spring Carnival | ||
| Apr 20 | no recitationSpring Carnival | ||
| Apr 24 | Program Repair | ||
| Apr 26 | Declarative Program Analysis (slides) | Strictly Declarative Specification of Sophisticated Points-to Analyses | Project checkpoint due |
| Apr 27 | RecitationDatalog/Prolog | Datalog/Prolog | |
| May 1 | Separation Logic | Primer on Separation Logic | |
| May 3 | Dynamic Analysis for Data Race Detection (No Recitation | ||
| Finals week | Project presentations | Project presentations | |
| May 11 | project final report due |