Clipping: A Semantics-Directed Syntactic Approximation Dan R. Ghica School of Computer Science University of Birmingham, U.K. Adam Bakewell School of Computer Science University of Birmingham, U.K. Abstract In this paper we introduce “clipping,” a new method of syntactic approximation which is motivated by and works in conjunction with a sound and decidable denotational model for a given programming language. Like slicing, clip- ping reduces the size of the source code in preparation for automatic verification; but unlike slicing it is an imprecise but computationally inexpensive algorithm which does not require a whole-program analysis. The technique of clip- ping can be framed into an iterated refinement cycle to ar- bitrarily improve its precision. We first present this rather simple idea intuitively with some examples, then work out the technical details in the case of an Algol-like program- ming language and a decidable approximation of its game- semantic model inspired by Hankin and Malacaria’s “lax functor” approach. We conclude by presenting an experi- mental model checking tool based on these ideas and some toy programs. 1. Introduction Automatic software verification is well on its way to becoming an essential part of industrial software development. The success of verification toolkits such as SLAM [6] and BLAST [14] confirms the effectiveness of techniques for handling models with very large state spaces, such as abstraction-refinement and on- the-fly model construction. However, it is fair to say that the success of fully automated software model checking (SMC) has been restricted to small, compact, self-contained programs such as device drivers. Scal- ing this technique up to large and very large programs has remained an open question. The main technique employed relies on using slicing [20] to syntactically reduce the size of the program only to those compo- nents that are relevant to a property to be checked [9]. One common denominator of the conventional so- lutions mentioned above is an emphasis on static analyses of a rather syntactical nature, combined with state-exploration or predicate-transformer oper- ational semantics of the programming language. In a series of papers [1, 13, 10, 11, 5], the first author and collaborators have argued for an alternative approach, based on a compositional model constructed denota- tionally using game semantics [15, 2]. In our papers we stressed the usefulness of the “external” aspect of compositional verification: we can prove the correctness of a program by proving the correctness of its components. We argued that a denotational-semantic approach, which has composi- tionality built-in, is the most simple and technically elegant way of achieving it. Our previous work fo- cused on adapting the conventional state-space sav- ing heuristics to the game-semantic setting, and build- ing a state-of-the-art games-based SMC tool 1 . In doing that we often exploited the “internal” compositional- ity of the game model, i.e. the fact that the model of a term is constructed as a composition of its sub-terms models. The technique in this paper combines and ex- ploits for the first time both the “external” and the “in- ternal” compositionality of the game-semantic model into an innovative abstraction algorithm that, we ar- gue, can be an important step towards “scaling up” automatic verification to large software projects. The basic, and rather simple, idea of clipping is best understood in contrast with slicing. Slicing [20] is a syntactic under-approximation which is calculated to be sound for a fixed set of program properties. It removes parts of a program that are considered ir- relevant, basically by replacing them with constants in the abstract syntax tree of the program; by con- trast, clipping will replace parts of the program that are considered (potentially) irrelevant with fresh iden- tifiers. This is where the magic of denotational ap- proach kicks in: the denotational model of a fresh identifier of any given type is defined as a universal quantifier over all possible behaviours of terms of a given type; it is the most general behaviour at that type. Consequently, the identifier is an over-approximation 1 www.cs.bham.ac.uk/research/projects/mage.