The following schedule lists the topics we will cover and approximately the number of meetings we will spend on each topic. The schedule is tentative. Most likely, some things will change during the semester, and I will revise the schedule as necessary.

The Reading column lists the assigned reading for the meeting. You should view the readings as an introduction to spark discussion in class.

The Assignment column lists the due date for each assignment.

Readings. The readings will be classified into the following order of recommendation: Advised (highest importance), Recommended (important but read after previous category), and Supplemental (additional material for a different perspective). NNH refers to Nielson et al., Principles of Program Analysis.

Date Topic Reading Assignment
1 M 1/11 Welcome
Supplemental. John Carmack. Static Code Analysis. This blog post is a famous developer's view of static analysis. John Carmack is known for his contributions to game engines (e.g., Doom).
W 1/13 Semantics Crash Course: Operational Semantics [meeting 2-5 whiteboard]
Advised. Winskel, Chapter 2.
Recommended. Harper, Chapters 1-3 (i.e., Part I). These chapters are background on syntax, judgments, and inductive definitions.
Supplemental. Winskel, Chapters 3-4. These chapters are another source on judgments and inductive definitions.
2 M 1/18 No Class: MLK Day
W 1/20 Semantics Crash Course: Operational Semantics
Advised. Winskel, Chapter 6.
3 M 1/25 Semantics Crash Course: Hoare Logic
W 1/27 Semantics Crash Course: Hoare Logic [meeting 6-9 whiteboard]
4 M 2/1 Collecting Semantics and Dataflow Analysis
Recommended (Classic). Gary A. Kildall. A unified approach to global program optimization. POPL, 1973.
Recommended (Classic). Michael Karr. Affine relationships among variables of a program. Acta Informatica 6(2):1976.
Recommended. NNH, Chapter 1.
W 2/3 Collecting Semantics and Dataflow Analysis
Advised. NNH, 2.1-2.3
5 M 2/8 Semantics Crash Course: Denotational Semantics
Advised. Winskel, Chapter 5 (up to 5.4).
W 2/10 Abstraction
Recommended. NNH, 4.1-4.3
Recommended. Rival, 4.1-4.2
6 M 2/15 Abstract Interpretation [meeting 10-11 whiteboard]
Recommended. NNH, 4.2
Supplemental. Rival, 4.3, 5.1
W 2/17 Abstract Interpretation [marked up exercise 3]
Advised. Patrick Cousot and Radhia Cousot. Static Determination of Dynamic Properties of Programs. In B. Robinet, editor, Proceedings of the second international symposium on Programming, Paris, France, pages 106—130, April 13-15 1976, Dunod, Paris.
Advised. Patrick Cousot. Semantic foundations of program analysis. In S.S. Muchnick & N.D. Jones, editors, Program Flow Analysis: Theory and Applications, Ch. 10, pages 303—342, Prentice-Hall, Inc., Englewood Cliffs, New Jersey, U.S.A., 1981.
Recommended. Bor-Yuh Evan Chang and Xavier Rival. Modular Construction of Shape-Numeric Analyzers, EPTCS 129, 2013.
Supplemental (Classic). Patrick Cousot and Radhia Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Conference Record of the Fourth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 238—252, Los Angeles, California, 1977. ACM Press, New York, NY, USA.
Supplemental (Classic). Patrick Cousot and Radhia Cousot. Systematic Design of Program Analysis Frameworks. In Conference Record of the Sixth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 269—282, San Antonio, Texas, 1979. ACM Press, New York.
7 M 2/22 Interprocedural Analysis
Recommended. Thomas Reps. Program Analysis via Graph Reachability. (Read up through Section 4.1, though the whole paper is recommended)
Recommended. Reps, Thomas, Susan Horwitz, and Mooly Sagiv. 1995. “Precise Interprocedural Dataflow Analysis via Graph Reachability.” In Proceedings of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - POPL ’95, 49–61. San Francisco, California, United States. doi:10.1145/199448.199462.
W 2/24 Higher-Order Program Analysis
Recommended. David Van Horn and Matthew Might. Abstracting Abstract Machines: A Systematic Approach to Higher-Order Program Analysis. CACM, 2011.
8 M 2/29 Separation Logic, Shape Analysis, and Pointer Analysis
Advised. John C. Reynolds. Separation Logic: A Logic for Shared Mutable Data Structures. LICS, 2002.
Recommended. Dino Distefano, Peter W. O'Hearn, Hongseok Yang. A Local Shape Analysis Based on Separation Logic. TACAS, 2006.
Supplemental. John C. Reynolds. Introduction to Separation Logic. An additional resource are the course notes for this class.
Advised. Manu Sridharan, Satish Chandra, Julian Dolby, Stephen J. Fink, and Eran Yahav. Alias Analysis for Object-Oriented Programs
Recommended. George Kastrinis and Yannis Smaragdakis. Hybrid Context-Sensitivity for Points-To Analysis. PLDI, 2013.
W 3/2 Symbolic Execution
Recommended. Khoo Yit Phang, Bor-Yuh Evan Chang, and Jeffrey S. Foster. Mixing Type Checking and Symbolic Execution. PLDI, 2010.
Recommended. Patrice Godefroid, Nils Klarlund, and Koushik Sen. DART: Directed Automated Random Testing. Conference on Programming Language Design and Implementation (PLDI), 2005.
Supplemental (classic paper) James C. King. Symbolic execution and program testing. CACM 19(7), July 1976.
9 M 3/7 Research Topics: Complexity Analysis
Tianhan Lu
Sinn, Moritz, Florian Zuleger, and Helmut Veith. A simple and scalable static analysis for bound analysis and amortized complexity analysis. CAV, 2014.
Cook, Byron. Principles of program termination. Engineering Methods and Tools for Software Safety and Security 22 (2009): 161.
W 3/9 Research Topics: JavaScript Type Analysis
Benno Stein
Andreasen, Esben, and Anders Møller. Determinacy in Static Analysis for jQuery. OOPSLA, 2014.
Jensen, Simon Holm, Anders Møller, and Peter Thiemann. Type Analysis for JavaScript. SAS, 2009.
10 M 3/14 Research Topics: Profiling and Dynamic Analysis
Anna Villani
Nistor, Adrian, Linhai Song, Darko Marinov, and Shan Lu. Toddler: Detecting Performance Problems via Similar Memory-Access Patterns. ICSE, 2013.
Burnim, J., S. Juvekar, and K. Sen. WISE: Automated Test Generation for Worst-Case Complexity. ICSE, 2009.
W 3/16 Research Topics: Android Malware
Evan Roncevich
Yang, W., X. Xiao, B. Andow, S. Li, T. Xie, and W. Enck. AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context. ICSE, 2015.
Arzt, Steven, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. FlowDroid: Precise Context, Flow, Field, Object-Sensitive and Lifecycle-Aware Taint Analysis for Android Apps. PLDI, 2014.
11 M 3/21 No Class: Spring Break
W 3/23 No Class: Spring Break
12 M 3/28 Research Topics: Types and Aliasing
Alan Moy
Rondon, Patrick Maxim, Ming Kawaguchi, and Ranjit Jhala. Low-Level Liquid Types. POPL, 2010.
Aiken, Alex, Jeffrey S. Foster, John Kodumal, and Tachio Terauchi. Checking and Inferring Local Non-Aliasing. PLDI, 2003.
W 3/30 Research Topics: Incremental Program Analysis
Kyle Howell
Hammer, Matthew A., Khoo Yit Phang, Michael Hicks, and Jeffrey S. Foster. Adapton: Composable, Demand-Driven Incremental Computation. PLDI, 2014.
13 M 4/4 Research Topics: Program Analysis for Confidentiality
Saeid Tizpaz Niari
Černý, Pavol, and Rajeev Alur. Automated Analysis of Java Methods for Confidentiality. CAV, 2009.
Eldib, Hassan, Chao Wang, and Patrick Schaumont. SMT-Based Verification of Software Countermeasures against Side-Channel Attacks. TACAS, 2014.
W 4/6 Research Topics: Program Repair
Rhys Olsen
Kneuss, Etienne, Manos Koukoutos, and Viktor Kuncak. Deductive Program Repair. CAV, 2015.
14 M 4/11 Research Topics: Program Repair
Rhys Olsen
Long, Fan, and Martin Rinard. Automatic Patch Generation by Learning Correct Code. POPL, 2016.
W 4/13 Research Topics: Taint Analysis
Ashwin Asokan
Sridharan, Manu, Shay Artzi, Marco Pistoia, Salvatore Guarnieri, Omer Tripp, and Ryan Berg. F4F: Taint Analysis of Framework-Based Web Applications. OOPSLA, 2011.
Tripp, Omer, Marco Pistoia, Patrick Cousot, Radhia Cousot, and Salvatore Guarnieri. Andromeda: Accurate and Scalable Security Analysis of Web Applications. FASE, 2013.
15 M 4/18 Research Topics: Preconditions, Parallelism
Benno Stein, Alan Moy
Cousot, Patrick, Radhia Cousot, and Francesco Logozzo. Precondition Inference from Intermittent Assertions and Application to Contracts on Collections. VMCAI, 2011.
Kawaguchi, Ming, Patrick Rondon, Alexander Bakst, and Ranjit Jhala. Deterministic Parallelism via Liquid Effects. PLDI, 2012.
W 4/20 Research Topics: Termination, Testing
Tianhan Lu, Anna Villani
Podelski, A., and A. Rybalchenko. Transition Invariants. LICS, 2004.
Godefroid, Patrice. Higher-Order Test Generation. PLDI, 2011.
16 M 4/25 Project Presentations
W 4/27 Project Presentations