Francesco Ranzato

Making abstract interpretations complete

Completeness is an ideal, although uncommon, feature of abstract interpretations, formalizing the intuition that, relatively to the properties encoded by the underlying abstract domains, there is no loss of information accumulated in abstract computations. Thus, complete abstract interpretations can be rightly understood as optimal. We deal with both pointwise completeness, involving generic semantic operations, and (least) fixpoint completeness. Completeness and fixpoint completeness are shown to be properties that depend on the underlying abstract domains only. Our primary goal is then to solve the problem of making abstract interpretations complete by minimally extending or restricting the underlying abstract domains. Under the weak and reasonable hypothesis of dealing with continuous semantic operations, we provide constructive characterizations for the least complete extensions and the greatest complete restrictions of abstract domains. As far as fixpoint completeness is concerned, for merely monotone semantic operators, the greatest restrictions of abstract domains are constructively characterized, while it is shown that the existence of least extensions of abstract domains cannot be, in general, guaranteed, even under strong hypotheses. These methodologies, which in finite settings give rise to effective algorithms, provide advanced formal tools for manipulating and comparing abstract interpretations, useful both in static program analysis and in semantics design. A number of examples illustrating these techniques are given.

Complementation in abstract interpretation

Reduced product of abstract domains is a rather well-known operation for domain composition in abstract interpretation. In this article, we study its inverse operation, introducing a notion of domain complementation in abstract interpretation. Complementation provides as systematic way to design new abstract domains, and it allows to systematically decompose domains. Also, such an operation allows to simplify domain verification problems, and it yields space-saving representations for complex domains. We show that the complement exists in most coses, and we apply complementation to three well-know abstract domains, notably to Cousot and Cousots interval domain for integer variable analysis, to Cousot and Cousots domain for comportment analysis of functional languages, and to the domain Sharing for aliasing analysis of logic languages.

Refining and Compressing Abstract Domains

In the context of Cousot and Cousots abstract interpretation theory, we present a general framework to define, study and handle operators modifying abstract domains. In particular, we introduce the notions of operators of refinement and compression of abstract domains: A refinement enhances the precision of an abstract domain; a compression operator (compressor) can exist relatively to a given refinement, and it simplifies as much as possible a domain of input for that refinement. The adequateness of our framework is shown by the fact that most of the existing operators on abstract domains fall in it. A precise relationship of adjunction between refinements and compressors is also given, justifying why compressors can be understood as inverses of refinements.

A unifying view of abstract domain design

Introduction. The concept of abstract interpretation has been introduced by Patrick and Radhia Cousot in [4, 5], in order to formalize static program analyses. Within this framework, our goal is to offer a unifying view on operators for enhancing and simplifying abstract domains. Enhancing and simplifying operators are viewed, respectively, as domain refinements and inverses of domain refinements. This new unifying viewpoint makes both the understanding and the design of operators on abstract domains much simpler. Enhancing operators increase the expressiveness of an abstract domain: they comprise the Cousot and Cousot reduced product , disjunctive completion and reduced cardinal power ([5]), the Nielson tensor product ([9]), the open product and the pattern completion by Cortesi et al. ([3]), and the functional dependencies by Giacobazzi and Ranzato ([7]). Simplifying operators are used to reduce complex abstract domains into simpler ones with respect to the efficiency of the corresponding analysis as well as with respect to the proof of their correctness. Simplifying operators comprise the complementation of Cortesi et al. ([2]) and the Giacobazzi and Ranzato least disjunctive basis ([8]).

Optimal domains for disjunctive abstract interpretation

Abstract In the context of standard abstract interpretation theory, we define the inverse operation to the disjunctive completion of abstract domains, introducing the notion of least disjunctive basis of an abstract domain D. This is the most abstract domain inducing the same disjunctive completion as D. We show that the least disjunctive basis exists in most cases, and study its properties, also in relation with reduced product and complementation of abstract domains. The resulting framework is powerful enough to be applied to arbitrary abstract domains for analysis, providing advanced algebraic methodologies for domain manipulation and optimization. These notions are applied to abstract domains for static analysis of functional and logic programming languages.

A New Efficient Simulation Equivalence Algorithm

It is well known that simulation equivalence is an appropriate abstraction to be used in model checking because it strongly preserves ACTL* and provides a better space reduction than bisimulation equivalence. However, computing simulation equivalence is harder than computing bisimulation equivalence. A number of algorithms for computing simulation equivalence exist. Let Sigma denote the state space, rarr the transition relation and Psim the partition of Sigma induced by simulation equivalence. The algorithms by Henzinger, Henzinger, Kopke and by Bloom and Paige run in O(|Sigma||rarr|)-time and, as far as time-complexity is concerned, they are the best available algorithms. However, these algorithms have the drawback of a quadratic space complexity that is bounded from below by Omega(|Sigma|2). The algorithm by Gentilini, Piazza, Policriti appears to be the best algorithm when both time and space complexities are taken into account. Gentilini et al.s algorithm runs in O(|Psim|2|rarr|)-time while the space complexity is in O(|Psim|2 + |Sigma| log(|Psim|)). We present here a new efficient simulation equivalence algorithm that is obtained as a modification of Henzinger et al.s algorithm and whose correctness is based on some techniques used in recent applications of abstract interpretation to model checking. Our algorithm runs in O(|Psim||rarr|)-time and O(|Psim||Sigma|)-space. Thus, while retaining a space complexity which is lower than quadratic, our algorithm improves the best known time bound.

Strong Preservation as Completeness in Abstract Interpretation

Many algorithms have been proposed to minimally refine abstract transition systems in order to get strong preservation relatively to a given temporal specification language. These algorithms compute a state equivalence, namely they work on abstractions which are partitions of system states. This is restrictive because, in a generic abstract interpretation-based view, state partitions are just one particular type of abstraction, and therefore it could well happen that the refined partition constructed by the algorithm is not the optimal generic abstraction. On the other hand, it has been already noted that the well-known concept of complete abstract interpretation is related to strong preservation of abstract model checking. This paper establishes a precise correspondence between complete abstract interpretation and strongly preserving abstract model checking, by showing that the problem of minimally refining an abstract model checking in order to get strong preservation can be formulated as a complete domain refinement in abstract interpretation, which always admits a fixpoint solution. As a consequence of these results, we show that some well-known behavioural equivalences used in process algebra like simulation and bisimulation can be elegantly characterized in pure abstract interpretation as completeness properties.

The reduced relative power operation on abstract domains

Abstract In the context of standard abstract interpretation theory, a reduced relative power operation for functionally composing abstract domains is introduced and studied. The reduced relative power of two abstract domains D 1 (the exponent) and D 2 (the base) consists in a suitably defined lattice of monotone functions from D 1 to D 2 , called dependencies, and it is a generalization of the Cousot and Cousot reduced cardinal power operation. The relationship between reduced relative power and Nielsons tensor product of abstract domains is also investigated. The case of autodependencies, i.e. base and exponent are the same domain, turns out to be particularly interesting: Under certain hypotheses, the domain of autodependencies corresponds to a powerset-like completion of the base abstract domain, providing a compact set-theoretic representation for autodependencies. Two relevant applications of the reduced relative power operation in the fields of logic program analysis and semantics design are presented. Notably, it is proved that the wellknown abstract domain Def for logic program ground-dependency analysis can be characterized as the domain of autodependencies of the standard abstract domain representing plain groundness information only; on the semantics side, it is shown how reduced relative power can be exploited in order to systematically derive compositional semantics for logic programs.

Weak relative pseudo-complements of closure operators

We define the notion of weak relative pseudo-complement on meet semi-lattices, and we show that it is strictly weaker than relative pseudo-complementation, but stronger than pseudo-complementation. Our main result is that if a complete lattice ℒ is meet-continuous, then every closure operator on ℒ admits weak relative pseudo-complements with respect to continuous closure operators on ℒ.

Generalized Strong Preservation by Abstract Interpretation

Standard abstract model checking relies on abstract Kripke structures which approximate concrete models by gluing together indistinguishable states, namely by a partition of the concrete state space. Strong preservation for a specification language L amounts to the equivalence of concrete and abstract model checking of formulas in L . We show how abstract interpretation can be used to design generic abstract models that allow to view standard abstract Kripke structures as particular instances. Accordingly, strong preservation is generalized to abstract interpretation-based models and precisely related to the concept of completeness in abstract interpretation. The problem of minimally refining an abstract model in order to make it strongly preserving for some language L can be formulated as a minimal domain refinement in abstract interpretation in order to get completeness w.r.t. the logical/temporal operators of L . It turns out that this refined strongly preserving abstract model always exists and can be characterized as a greatest fixed point. As a consequence, some well-known behavioural equivalences, like bisimulation, simulation and stuttering, and their corresponding partition refinement algorithms can be elegantly characterized in abstract interpretation as completeness properties and refinements.