Higher-Order Abstract Interpretation (and Application ...

Higher-Order Abstract Interpretation (and Application to Comportment Analysis Generalizing Strictness, Termination, Projection and PER Analysis of Functional Languages) Patrick Cousot

Invited paper

Radhia Cousot

LIENS | DMI | E
cole Normale Sup
erieure 75230 Paris cedex 05 (France)

LIX | E
cole Polytechnique 91128 Palaiseau cedex (France)

abstract

chosen application is comportment analysis which generalizes strictness, termination, projection (including absence) 64], dual projection (including totality) and PER analysis 41] and is expressed in denotational style.

[email protected]

[email protected]

The original formulation of abstract interpretation 12, 13, 14, 16] represents program properties by sets. A property is understood as the set of semantic values satisfying it. Strongest program properties are de ned by the collecting semantics which extends the standard semantics to powersets of semantic values. The approximation relation corresponding to the logical implication of program properties is subset inclusion. This was expressed using set and lattice theory in the context of transition systems 16] that is of an operational semantics. This approach was applied to imperative programs 14], rst-order procedures 15], communicating processes 17], parallel 18] and logic 19] programs. Some applications of abstract interpretation, such as strictness analysis for lazy functional languages 10, 54], require in nite behaviors of higher-order functions to be taken into account. In this context denotational semantics is very natural (strictness is f (?) = ? where ? denotes non-termination). The set-theoretic approach to abstract interpretation was felt incompatible with denotational semantics. The attempts to express the collecting semantics in denotational form were unsuccessful 3] since properties of functions f 2 D1 7! D2 had to be expressed as continuous functions between powerdomains F 2 PD1 7! PD2 which is not expressive enough. We solve the problem by returning to the sources of abstract interpretation, which consists in considering collecting semantics such that e.g. properties of functions f 2 D1 7! D2 are sets of functions F 2 }(D1 7! D2 ). Various Galois connection based approximations of F 2 }(D1 7! D2 ) can then be applied. By using Galois connections, properties of the standard semantics naturally transfer to the collecting and then to the abstract semantics. This set-theoretic abstract interpretation framework is formulated in a way which is independent of both the programming language and the method used to specify its semantics. It is illustrated for a higher-order monomorphically typed lazy functional language starting from its standard denotational semantics. The 1074-8970/94 $3.00 c 1994 IEEE

Part I : Higher-Order Abstract Interpretation 1: Principles of abstract interpretation In the context of program analysis, abstract interpretation consists in answering questions about programs by approximation of a collecting semantics expressing program properties relative to a standard semantics 12, 13, 14, 16].

1.1: Collecting semantics

For example, the collecting semantics fjpjg 2 }(D) of program p is a set f p]
j
2 I g  D of possible output values (in the set D of concrete values ) corresponding to a given set I of possible input values, as dened by the standard semantics  p] .

1.2: Questions about programs Concrete questions asked about program p have the form \fjpjg  R?" where the set R 2 P of desired results is a concrete property of P def = }(D) which is a complete lattice hP      \i with  = D.

1.3: Approximation ordering Question Q is said to be more precise than Q or Q is an approximation of Q if and only if Q  Q . The partial order  is called the approximation ordering. Observe that the collecting semantics fjpjg is the most precise question which can be answered about program p. The approximation ordering is a logical ordering corresponding to implication which is totally unrelated with any relation between semantic values. 0

0

95

0

1.4: Abstract semantics

1.7: Correctness and completeness of the abstract interpretation

The collecting semantics fjpjg is not computable, so that an abstract semantics (jpj) 2 Pa can be used instead. The set Pa of abstract properties is a complete lattice hPa  a  a  a  a  \a i.

Questions are now answered in the abstract form \(jpj) a Qa ?". This approach is correct whenever: 8Qa 2 Pa : (jpj) a Qa ) fjpjg   (Qa ) and complete whenever: 8Qa 2 Pa : fjpjg   (Qa ) ) (jpj) a Qa By the Galois connection property (1), any choice of (jpj) such that (fjpjg) a (jpj) is correct while (jpj) a (fjpjg) is complete.

1.5: Connecting the collecting and abstract semantics The correspondence between concrete and abstract properties is given by means of a Galois connection 1 : hP  i ; ;!
hPa  a i that is a pair of functions:

 2 P 7! Pa

1.8: Higher-order abstract interpretation In order to lift this approach to higher-order, we have to provide methods for approximating a set of functions (corresponding e.g. to the collecting semantics of a function type) and a relation (corresponding e.g. to the collecting semantics of a pair type or e.g. to an ordering on values).

 2 Pa 7! P

satisfying:

8Q 2 P : 8Qa 2 Pa : (Q) a Qa () Q   (Qa )

(1)

2: Abstraction of a set of functions

or equivalently: 8Q Q :2 P , 8Qa  Qa 2 Pa : (2)  monotone: (Q  Q ) ) ((Q) a (Q ))  monotone: (Qa a Qa ) ) ( (Qa )   (Qa ))   extensive: Q   ((Q))   reductive: ( (Qa )) a Qa 0

0

0

We now consider abstract interpretations of sets of functions in }(D1 7! D2 ) where D1 and D2 are sets for which abstract interpretations are available: h}(Di )  i Di   \i (3)

0

0

0







; ;!
i i i i hDa  a  a  ia  ia  \ia i

1.6: Best approximation The only considered properties are now of the form  (Qa ) where Qa 2 Pa is an abstract property . Qa is said to be more precise than Qa if and only if  (Qa )   (Qa ). Let us call an approximation of a concrete property Q any abstract property Qa such that Q   (Qa ). The interest of Galois connections is that (Q) is the best approximation of Q (it is an approximation by Q   ((Q)) in (2) and (Q) is more precise than any other approximation Qa since Q   (Qa ) implies (Q) a Qa by (1) so that  ((Q))   (Qa ) by monotony).

i = 1 2

2.1: Abstraction of a set of functions by a binary relation

0

0

A rst abstraction consists in approximating a set

F of functions ffi j i 2 g by a relation r relating elements hx yi which can be mapped by some function fi in the set F : fi (x) = y. Precisely which function fi is ignored. We write D1 $ D2 for }(D1 D2 ) = fhx yi j x 2 D1 ^ y 2 D2 g. We dene: % (F ) def = fhx f (x)i j x 2 D1 ^ f 2 F g def  % (r) = ff 2 D1 7! D2 j 8x 2 D1 : hx f (x)i 2 rg 

1 Evariste Galois introduced such \correspondences" as the basis of his criterion for solvability of a polynomial equation of degree 5 by radicals and for the constructibility by straight= fa 2 edge and compass. If E is a given eld then let Inv G def E j 9 2 G : (a) = ag for a group G of automorphisms in E . The Galois group Gal E=F of E over a subeld F is the set of automorphisms of E such that (a) = a for every a 2 F . The maps (F ) = Gal E=F and  (F ) = Gal E=F are such that: (F1  F2 ) ) ((F1 )  (F2 )) (G1  G2 ) ) ( (G1 )   (G2 )) F   ((F )) ( (G))  G which, as remarked in 16], corresponds to (2), but for the use of the dual ordering  = a , hence more precisely to the residuated mappings of P. Dubreuil and R. Croisot 23, 28]. The idea of using Galois connection in the context of order theory is in 31, 61] and, implicitly, in 6].

so that we have the Galois connection: h}(D1 7! D2 )  % D1 7! D2   \i

; ;!
% hD $ D    D1  D2   \i 1

2

2.2: Binary relations as set-valued functions Once a set of functions has been approximated by a binary relation, we are left with the problem of approximating this relation with respect to the approximation ordering. We rst consider two isomorphic representations of binary relation by functions and then their approximation. 96

Pointwise coding: There are many possible cod-

Functional abstraction of a set-transformer: A set-transformer in }(D1 ) 7;! }(D2 ), which is a complete union-morphism hence -strict (f () = ) and set-inclusion monotonic (X  Y ) f (X )  f (Y )), can be approximated by a -strict and monotonic function on abstract values (with loss of information both on }(D1 ) and }(D2 )) using the following set-trans-

ings of a relation by a function. A rst one is the pointwise coding into a function mapping elements to their images under the relation: $ (r) def = x fy j hx yi 2 rg def $  () = fhx yi j y 2 (x)g hD1 $ D2   $D1  D2   \i

.

former abstraction 12, 13, 14, 16]: ' () def = 2   1  ' () def =  2  1 _ (6) h}(D1 ) 7;
! }(D2 ) _  'X  X D2  _  \i

; ! ;!

_ hD1 7! }(D2 ) _  x.  x. D2  _  \i The arrow ;  indicates that in the Galois$ connection  $ is surjective or equivalently that  is injective. The arrow ;! ! $indicates that $ is surjective
$

.










.

; ;!
' 2 _ hDa 7;! Da  a  A. 2a  A. 2a  _ 2a  \_ 2a i

or equivalently that  is injective. Here we have an order isomorphism which is a special case of Galois connection ($  $ and  $ $ are the identity). Another inverse pointwise coding would consist in using the pointwise coding for the inverse relation.





1


2

3: Compositional abstraction




The composition of Galois connections ha   a i:

Set-transformer coding: A second equivalent

a

coding is set-transformer coding . The relation is coded by a set-transformer mapping sets to their images under the relation. Such set-transformers are complete 1 2 union-morphisms i.e. S S f 2 }(D ) 7;! }(D ) such that f ( f x g ) = f ( f x g ) (= f ( X )): x X x X def &  (r) = X fy j 9x 2 X : hx yi 2 rg (4) = fhx yi j y 2 (fxg)g (5)  & () def 1 2 1 2 hD $ D    &D  D   \i

h}(D)   D  \i ; ;!
a hDa  a  a  a  a  \a i and hb   b i: b hDa  a  a  a  a  \a i ; ;!b hDb  b  b  b  b  \b i

_ h}(D ) 7;! }(D ) _  X  X D2  _  \i Observe that this coding is familiar when the relation r is a function f (in which case hx yi 2 r and hx y i 2 r imply y = y = f (x)), since & (r) = X ff (x) j x 2 X g is the usual extension of functions on elements to functions on sets of elements. Another inverse settransformer coding would be relative to the inverse relation.

It follows that an abstract interpretation can be designed compositionally by composition of successive abstractions. For example we consider two possible abstractions of sets of functions by an abstract function.

.

2

2

1

2

; & ;!
!

.

is a Galois connection h   b i ha   a i: h}(D) a  bD  \i


;;; ;;;! hDb  b  b  b  b  \b i  b

a

.

.

0




b

0

(7)

Pointwise abstraction1 of a2 set of functions: A set of functions in }(D 7! D ) can be approximated pointwise without loss of information on the domain D1 and abstraction on the co-domain D2 only:

2.3: Abstraction of a set-valued function

 def =  $ % = F . x. 2 (ff (x) j x 2 D1 ^ f 2 F g)   def = % $  = F .ff j 8x : f (x) 2  2 ((x))g h}(D1 7! D2 )   D1 7! D2   \i (8)

Pointwise abstraction of a set-valued function: The approximation of a set-valued function in D1 7! }(D2 ) can be done using a pointwise abstraction (with no loss of information on D1 and approximation on }(D2 ) only), as follows:







 () def = x. 2 ((x)) = x.fy j y 2  2 ((x))g   () def _ hD1 7! }(D2 ) _  x .  x. D2  _  \i







; ;!
1 2 _ hD 7! Da  a  _ 2a  _ 2a  _ 2a  \_ 2a i 2

Functional abstraction of a set of functions:1 A coarser approximation of a set of functions in }(D 7! D2 ) is by abstraction as a set transformer and then on

; ;!
 1 2 _ . hD 7! Da  a  x 2a  x. 2a  _ 2a  \_ 2a i 2

97

both the domain D1 and on the co-domain D2 :  def = ' & % = F X 2 (ff (x) j x 2  1 (X ) ^ f 2 F g)   def = % & ' =  ff j 8x : f (x) 2  2  1 (fxg)g h}(D1 7! D2 )   D1 7! D2   \i (9)

. . .





where:

= fh ig ? def def ?  = ?  (}(D1 ) n fg)  (}(D2 ) n fg)




The above connection is useful in conjunction with (4) to extend a relation dened for the standard semantics to a corresponding relation for the collecting semantics: 8f 2 D 7! D : 8r 2 D $ D : (11) 8hx yi 2 D  D : hx yi 2 r ) hf (x) f (y)i 2 r , 8hX Y i 2 }(D? )  }(D)& : hX Y i 2  (r) ) h (f )(X ) & (f )(Y )i 2 ? (r) Example 1 (Fixpoint inducing) f 2 D  is v def & ? monotonic whence by (11), f =  (f ) is ? (v )-pre   serving. hD  v  ?  t i is a poset so that h}(D ) v ?  ? ?  t ? i is a preorder where v ? def = ? (v ), def def ? ? ? = f? g and ti  Xi = fit xi j 8i 2  : xi 2 Xi g. ? ? is an inmum on }(D ) n fg. We have: ? lfp f ? def = tn N? f ? n (? ? ) = flfp f g (12) which is the least xpoint on the poset h}? (D ) v ? i where }? (D ) def = }(D )=? def = fX ]? j X 2 }(D ) n def fgg, X ]? = fY j X ? Y g is the equivalence class = X v ? of X for the equivalence relation X ? Y def def ? ? ?  ?  ?  Y ^ Y v X and X ] v Y ] = X v Y . ut










; ;!

 2 _ 2 _ 2 _ 2 _ 2 _ 2 1 hDa 7;! Da  a  a  a  a  \a i

4: Abstraction of a binary relation

7!

We now consider abstract interpretations of relations in D1 $ D2 where D1 and D2 are sets for which abstract interpretations (3) are available. Observe that by the isomorphisms between binary relations and set-valued functions (Sect. 2.2) and set-transformers (Sect. 2.2), we can already use the abstractions given in Sect. 2.

2

4.1: Relations on elements as relations on sets

2

Corresponding to the extension of a function on elements to a function on sets of elements (by the functional set-transformer of Sect. 2.2), a relation on elements can be coded by a relation on sets of elements: #r Y def = fx 2 D1 j 9y 2 Y : hx yi 2 rg def "r X def = fy 2 D2 j 9x 2 X : hx yi 2 rg *  (r) = fhX Y i 2 }(D1 ) $ }(D2 ) j X  #r Y g ) (r) def = fhX Y i 2 }(D1 ) $ }(D2 ) j Y  "r X g def ?  (r) = ) (r) \ * (r)  ? (R) def = fhx yi j hfxg fygi 2 Rg The same way that not all functions on sets are set-transformers (they must be complete union-morphisms hence -strict), not all relations between sets are set relators. Therefore we dene: }(D1 ) $
}(D2 ) def = } (D 2 ) j fR 2 }(D1 ) $ 8X 2 }(D21 ) : (hX i 2 R) () (X = ) ^ 8Y 2 }(D ) : (h Y i 2 R) () (Y = )g }(D1 ) $ }(D2 ) def = fR 2 }(D1 ) $ }(D2 ) j 8fhXi  Yi i j i 2 g  R : h S Xi  S Yi i 2 Rg i2

}(D1 )
$ }(D2 ) def =
1 2 }(D ) $ }(D ) \ }(D1 ) $ }(D2 )

4.2: Abstraction of a relation on sets by a relation on abstract values Using the abstractions (3) of sets of values in D1 and D2 , one can abstract a set relator in }(D1 )
$ }(D2 ):  (R) def = fhx yi j h 1 (x)  2 (y)i 2 Rg  (r) def = fhX Y i j 8x : (X 2  1 (x)) ) (9y : Y 2  2 (y) ^ hx yi 2 r)g h}(D1 )
$ }(D2 )  ?  ?   \i (13) where:

; ! ;!
?
 h}(D1 ) $ }(D2 )  ?  ?   \i

; ;!
 hDa1 $ Da2   ?a  ?a   \i

= fh1a  2a ig ?a def ?a def = ?a  (Da1 n f1a g)  (Da2 n f2a g)

so that relator preserving set-transformers are approximated by abstract relation preserving abstract transformers:
 8F 2 }(D) 7;! }(D : 8R 2 }(D)
$ }(D) : (14) 8hX Y i 2 }(D)  }(D) : hX Y i 2 R ) hF (X ) F (Y )i 2 R , 8hx yi 2 Da  Da : ' hx yi 2  (R) ) h (F )(x) ' (F )(y)i 2  (R)

i2

so that we have the Galois connection: hD1 $ D2    ?D1  D2   \i

2

(10)

98

P

Example 2 (Fixpoint inducing) Going on with Ex. 1, h}(D ) v ?  ?  ?  t ? i is a pre-order so that hDB  vB  ?B  tB i is also a pre-order where vB def =  (v ? ), ?B def =  (? ? ) and tB i  xi def = def ' ? ? ?      (t i   (xi )). By (11), fB =  (f ) is v -pre-

h}(P )   D  \i h}(D)   D  \i ; ;!
P In practice a coding of }(P ) by an -isomorphic set may be used.

2

6: Reduction of an abstraction

serving. It has a least xpoint (unique up to equivalence classes): lfpB fB def = tB fB n (?B ) = flfp f g (15) 2

n 2N

If i is not surjective in (3), then there exists different abstract values x 2 Dai and y 2 Dai with the same meaning  i (x) =  i (y). Hence one of them can be eliminated from Dai without loss of expressiveness of the abstract interpretation, since (3) implies: h}(Di )  i Di   \i (18)

ut

4.3: Abstraction of a binary relation by a pair of sets

i
i





















7: Completions of lattices of properties



We now recall the disjunctive completion of a lattice of properties, a technique we introduced in 16] to prove that merge-over-paths (MOP) dataow analyses can be equivalently expressed in xpoint form. More generally, we consider the complete lattice of completions of the lattice of properties and exhibit a few interesting members which we present in various equivalent forms. Concrete and abstract properties are assumed to correspond, as follows: h}(D)   D  \i (19)



4.4: Abstraction of a pair of sets by an abstract pair In turn a pair hX Y i 2 }(D1 )  }(D2 ) of sets can be approximated by a pair of corresponding abstract values:  (hX Y i) def = h 1 (X )  2 (Y )i def  (hx yi) = h 1 (x)  2 (y)i h}(D1 )  }(D2 )         \ i (17) 

; ;!
hDa  a  a  a  a  \a i

















; ;!
 h}(D )  }(D )         \ i where  def =   ,  def = h i,  def = hD1  D2 i, def def  =    and \ = \  \. 2




cates that i is surjective. For example, two abstract interpretations where  i () = , i = 1, 2 can be extended to pairs with  (hx yi) =  1 (x) \  2 (y) in which case all pairs with an empty component denote the empty set and can be eliminated in favor of h i. Our later examples are (implicitly) reduced.



1

; ;! !
i

h< (Dai ) ia  i  i (ia ) ia  ia  X . i  i (\ia X )i i where