Configurable Program Analysis (CPA)

• CPA is a unifying framework that defines a multi-tuple of abstract domains, precisions, and operators to systematically capture program behavior.
• It supports modular composition, enabling advanced techniques such as CEGAR, product analyses, and parallel verification in tools like CPAchecker.
• Empirical evaluations demonstrate that CPA-based methods improve scalability, precision, and efficiency across varied verification tasks.

Configurable Program Analysis (CPA) provides a unifying formalism for expressing and composing diverse program analysis and model checking techniques. At its core, CPA packages the essential building blocks of data-flow domains and analysis algorithms into a single, parameterized interface. This structure enables sound, flexible, and modular static analysis, supporting advanced mechanisms such as abstraction refinement (CEGAR), product/composite analyses, and parallelization via orthogonal domain composition. The CPA paradigm underlies leading tools for software verification, most notably CPAchecker, facilitating the implementation, combination, and scaling of various program analysis methodologies (0902.0019, Baier et al., 2024).

1. Formal Definition and Foundations

A Configurable Program Analysis is formally defined as a multi-tuple encapsulating an abstract domain, precision, transfer relation, merge operator, stop operator, and a precision adjustment function. In the canonical form:

$\text{CPA} = (D, P, \;\trans, \;\merge, \;\stopop, \;\precop)$

where:

• $D = (C, \preceq)$ is the abstract domain, a set $C$ of abstract states with preorder $\preceq$.
• $P$ is the set of precisions, parameterizing abstraction detail.
• $\trans \subseteq C \times \text{Ops} \times C$ is the transfer relation, relating predecessor and successor abstract states for a program operation.
• $\merge: C \times C \times P \rightarrow C$ merges abstract states at join points, usually as join in a lattice.
• $\stopop: C \times P \times 2^C \rightarrow \{\mathit{true}, \mathit{false}\}$ checks coverage, typically $c$ subsumed by some $c' \in S$.
• $\precop: C \times P \rightarrow C \times P$ allows on-the-fly, path-dependent precision refinement, as in CEGAR.

CPA imposes that key operators (transfer, merge, stop) are parameterized and composable, and that soundness is preserved via the relation between abstract and concrete semantics. The reachability (ARG) construction proceeds via worklist, applying transfer, merge, and stop in a loop to compute the set of reached abstract states, possibly interleaved with dynamic precision adjustment (0902.0019, Baier et al., 2024).

2. Composition and Modular Construction

CPA composition is central to the paradigm. Given two (or more) CPAs

$\CPA_1 = (D_1, P_1, \ldots),\; \CPA_2 = (D_2, P_2, \ldots)$

their product CPA $\CPA_{1\|2}$ is constructed by taking the product of domains $C_1 \times C_2$ with the pointwise product preorder, product transfer relation, and componentwise merge, stop, and precision adjustment. Explicitly, for states $c_i, d_i \in C_i, p_i \in P_i$:

• Transfer: $((c_1, c_2), op, (c'_1, c'_2))$ if $(c_1, op, c'_1) \in \trans_1$ and $(c_2, op, c'_2) \in \trans_2$.
• Merge: $(\merge_1(c_1, d_1, p_1), \merge_2(c_2, d_2, p_2))$.
• Stop: $\stopop_1(c_1, p_1, S_1) \wedge \stopop_2(c_2, p_2, S_2)$.
• Precision adjustment: $(c'_1, c'_2, p'_1, p'_2)$ where $(c'_i, p'_i) = \precop_i(c_i, p_i)$.

Sequential composition (e.g., for phase-based analyses) can be encoded via a controlling scheduler CPA (Baier et al., 2024, 0902.0019). This modular structure underlies, for example, orthogonal composition of value, predicate, and shape analyses, as well as the integration of concurrency analysis (e.g. ThreadingCPA).

3. Instantiations: Key Abstract Domains and CPAs

CPA is instantiated for a spectrum of abstract domains, each offering trade-offs between expressiveness, scalability, and precision:

CPA Name	Abstract State (C)	Precision (P)	Core Operator Features
Explicit-Value (Value Analysis)	Variable $\to$ $\mathbb{Z}\cup\{\top\}$	Variable set or threshold	Concrete variable tracking, merge by equality or mapping to $\top$
Interval	Variable $\to$ $[l,u]$	Variables, widening	Join/intersect intervals, widen on loop heads
Octagon	DBM over $\pm x \pm y \leq c$	Fixed (none)	Join via elementwise maximum, close via Floyd–Warshall
Predicate-Abstraction	Boolean formula over predicates	Set of predicates	Abstraction via SMT, merge at join points only
BDD	BDD over predicates	Fixed (static)	Conjunct, existential quantification
ThreadingCPA	Partial map: Thread ID $\to$ Location	N/A	Models thread interleaving, steps for create/join/step

Each CPA implements the CPA interface explicitly, and can participate in arbitrary products. Additional domain-specific CPAs (e.g. memory graphs, congruences, templates) are constructed analogously (0902.0019, Baier et al., 2024, Karpenkov et al., 2015, Beyer et al., 2016).

4. Advanced Techniques: CEGAR, Local Policy Iteration, and Specialized CPAs

CPA provides a uniform substrate for advanced mechanisms:

• CEGAR (Counterexample-Guided Abstraction Refinement): CPA’s precision adjustment ($\precop$) supports CEGAR by refining abstraction based on infeasible error paths: the predicate CPA adds new predicates via interpolation; the explicit-value CPA adds missed variables; others analogously refine tracked constraints (0902.0019, Baier et al., 2024).
• Local Policy Iteration (LPI): LPI is formulated as a CPA over template domains, alternating symbolic path formula accumulation and LP-based abstraction at loop heads. This combines max-policy iteration precision with Kleene-style scalability. The CPA interface ensures LPI can interoperate with other analyses, e.g., predicate or congruence CPAs via the getValue and strengthen APIs (Karpenkov et al., 2015).
• Threading and Concurrency: ThreadingCPA models interleaved concurrent executions orthogonally to the data-flow CPA. Optimizations such as partial-order reduction and partitioned reachability sets reduce the state space, while compositionality enables pairing with value, predicate, or interval domains (Beyer et al., 2016).

5. Parallel and Range-Based Verification

CPA’s compositionality enables parallelization and advanced decomposition techniques:

• Ranged CPA: Arbitrary CPAs are restricted using range-reduction CPAs that confine exploration to a designated subspace of the path lattice. Parallel verification is achieved by partitioning the execution path set into complementary ranges and running separate (possibly different) CPAs on each, then aggregating verdicts and witnesses. Work-stealing and witness joining enable efficient load balancing and certification over ranges. Combinations of strong-in-proof and strong-in-bug-finding analyses solve tasks that individual techniques miss (Haltermanna et al., 2024).
• This parallel approach, implemented in CPAchecker and CoVeriTeam, yields increases in solved verification tasks—mixed ranged analyses with work stealing notably outperform individual strategies, with substantial speedups and no loss in soundness.

6. Empirical Results and Tool Ecosystem

CPAchecker operationalizes CPA, offering a Java-implemented, extensible framework for integrating new domains and analyses. Empirical findings across various CPAs and analysis scenarios include:

• ValueAnalysis and PredicateAbstraction CPAs both benefit from CPA-compositionality and dynamic precision refinement, with blended analyses (e.g., Predicate+ExplicitValue) providing marked performance and accuracy improvements (0902.0019, Baier et al., 2024).
• On concurrency tasks, ThreadingCPA combined with value or boolean domains achieves competitive results with optimized reached-set partitioning and POR, solving hundreds more benchmarks than non-optimized baselines (Beyer et al., 2016).
• Local Policy Iteration, instantiated as a CPA, matches or exceeds specialized numerical abstract interpretation frameworks on template-based invariant generation, with dramatically superior scaling on loop-rich code (Karpenkov et al., 2015).
• Parallel range-based verification increases both total solved tasks and robustness, especially when combining analyses of complementary strengths and utilizing work stealing (Haltermanna et al., 2024).

7. Extension Practices, Interface, and Ecosystem Integration

Extending CPA-based frameworks involves implementing the CPA interface (Java in CPAchecker), registering new domains via configuration, and reusing (or specializing) merge/stop/precision adjustment operators. CPAchecker’s architecture ensures CPAs are orthogonal and composable; compositional CPAs (CompositeCPA) allow plug-and-play domain products. Extension best practices include modular implementation, orthogonality, precision judiciousness, and the systematic use of configuration files for domain assembly. The tool supports regression testing, solver integration, and experimentation within the same framework used for empirical SV-COMP evaluations (0902.0019, Baier et al., 2024).

---

The CPA framework provides a robust, extensible foundation for modern program analysis, fusing formal soundness guarantees, modular domain construction, and the flexibility to support compositional, parallel, and refinement-based analyses as exemplified by the evolution and empirical impact of CPAchecker and related tools (0902.0019, Baier et al., 2024, Karpenkov et al., 2015, Beyer et al., 2016, Haltermanna et al., 2024).