Concrete and Abstract Objects

In the most general sense, abstract interpretation is a theory for the approximation of math- ematical objects, whatever these objects refer to. Indeed, abstract interpretation is not fo- cused on the meaning of these objects but in the relation between concrete and abstract, i.e. approximated, elements. The goal of abstract interpretation is to give the formal means for relating mathematical objects at different levels of abstraction, potentially transferring the computations from the concrete level to the abstract one.

The concrete objects domain O describes the elements of interest. For instance, sets of numbers, functions, collecting semantics of programs, etc. The goal of abstract interpre- tation is to approximate concrete objects with abstract ones, chosen in an abstract objects domain O]_{. In other words, the intention of an abstract interpretation is to find an abstract}

object A in the abstract domain O]_{which is a correct approximation of the concrete object}

C ∈ O. Concrete and abstract objects came with two relations stating the relative precision between elements: more precise elements (concrete or abstract) carry more information. This means that hO, 4i and hO]

, 4]_{i are POSET and C ∈ O is more precise than C}0 _{∈ O if}

and only if C 4 C0. Analogously, A ∈ O]_{is more precise than A}0 _{∈ O}]

if and only if A 4]_A0_.

Usually, 4 is called approximation order and 4]_{is called abstract approximation order. Cor-}

rectness, more often said soundness, is given by a correctness relation, stating which are the correct approximations of a concrete object. This relation can be defined in a lot of ways, de- pending on the algebraic properties that concrete and abstract domains have (see [Cousot and Cousot,1992] for a detailed explanation). In the following, we assume that the sound-

14 14

Chapter 2. Mathematical Background M. Pasqua

ness relation is given in terms of either a monotonic abstraction function α ∈ O −→ O]_or

a monotonic concretization function γ ∈ O] _{−→ O. This means that α(C) ∈ O}]_{is a correct}

approximation of C ∈ O, or similarly, that A ∈ O]_{is a correct approximation of γ(A) ∈ O.}

The domains are called approximation domains, since they are useful for comparing objects, w.r.t. their precision.

The monotonicity of the abstraction, or the concretization, function preserves the relative precision of objects, namely C 4 C0implies α(C) 4]_α(C0₎

, or A 4]_A0

implies γ(A) 4 γ(A0). Monotonicity is not sufficient to obtain best abstractions. For instance, even if α maps a concrete object to a correct abstract object, it is not guaranteed that this latter is the most precise. We have the best abstraction when the abstraction α is a complete join-morphism or, equivalently, the concretization γ is a complete meet-morphism (assuming that arbitrary join and meet exist). This tantamount to say that α and γ are adjoint functions and hence form a Galois connection. We will deal with Galois connection-based abstract interpretation in a moment.

2.2.1.1 Functions Abstraction

Usually, concrete objects are computed by means of a function on the concrete domain. Hence, once we have abstracted objects, the natural second step is to abstract computations. Indeed, abstract interpretation is motivated by the fact that a concrete function F ∈ O −→ O is not computable (or too expensive in terms of complexity). Hence we seek an abstract function F]_{∈ O}]_{−→ O}]_{which correctly approximates F , and that is computable. As said,}

the abstract function must be sound, namely:

∀C ∈ O . α(F (C)) 4]_F]_{(α(C)) or ∀A ∈ O}]

. F (γ(A)) 4 γ(F]_{(A)) (2.1)}

This means that computing in the abstract always yields less or as much information as computing in the concrete. When the equality is required, namely when we require that the abstract computation does not lose any information w.r.t. the concrete one, we say that F]_{is exact, or more commonly complete. This happens when concrete and abstract functions}

commute, i.e. when α ◦ F = F]_{◦ α or F ◦ γ = γ ◦ F}]_.

2.2.1.2 The Optimal Case of Galois Connections

When the abstraction function preserves existing least upper bounds, i.e. it is additive, there is a unique concretization γ expressing the same soundness relation between concrete and abstract elements: γ , α− _{= λA .b{C ∈ O | α(C) 4}]_{A}. Dually, when the concretization}

function preserves existing greatest lower bounds, i.e. it is co-additive, there is a unique abstraction α expressing the same soundness relation between concrete and abstract ele- ments: α , γ+ _{= λC .}c]

{A ∈ O]

| C 4 γ(A)}. In this case we have that abstraction and concretization are adjoint functions, hence they form a Galois connection:

hO, 4i −−→←−−_αγ hO]

, 4]_i

In a Galois connection setting, soundness can be checked, equivalently, in the concrete or in the abstract, in fact it holds:

∀C ∈ O, A ∈ O]

. α(C) 4]

M. Pasqua 2.2. Abstract Interpretation

In particular we have that α(C) is the best possible abstract element approximating C, namely it is the most precise, w.r.t. 4]_{, correct approximation of C in O}]_.

One of the fundamental aspects of Galois connection-based abstract interpretations is that the majority of the properties of the approximation process are specified only by the (abstract) domain of mathematical objects chosen for representing the objects of interest. A theory of domains for abstract interpretation was defined in [Cousot and Cousot,1977; Cousot and Cousot,1979b] based on the notion of Galois connection.

In a Galois connection setting we can exploit nice algebraic properties. For instance, Equation2.2implies that the two definitions of soundness in Equation2.1are equivalent. Furthermore, given a concrete function F it is always possible to retrieve a sound approxi- mation, which is also the most precise [Cousot and Cousot,1979b]. This latter is called best

correct approximation and it is defined as Fbca_{, α◦F ◦γ. As a consequence, in order to prove} soundness, it is sufficient to prove that F]_{approximates F}bca_{, namely prove that F}bca₄˙]

F]_.

Unfortunately, when we need exact approximations things are more complicated. First, even in a Galois connection setting, an exact abstract function is not guaranteed to exist. Second, the two notions of completeness are not equivalent. Indeed we have:

• backward completeness, when F ◦ γ = γ ◦ F]

• forward completeness, when α ◦ F = F]_{◦ α}

We have this two different notions of completeness, depending on where we compare the concrete and the abstract computations. If we compare the results in the abstract domain, we obtain backward completeness while, if we compare the results in the concrete domain, we obtain forward completeness. An important result is that a function admits a backward, or forward, complete abstraction if and only if its best correct approximation is backward, or forward, complete [Giacobazzi, Ranzato, and Scozzari,2000].

Lattice of Abstract Interpretations. A Galois insertion is a Galois connection where α◦γ = λA . A(i.e. it is the identity function on O]_{). It is not restrictive to reason with insertions}

instead of connections, since any Galois connection can be reduced to a Galois insertion, eliminating the redundant elements. Often it is convenient to consider domains indepen- dently from the representation of their objects. In this case they are specified by means of upper closure operators. As we have already seen, an upper closure operator is com- pletely described by the set of its fixpoints ρ(O) = {C ∈ O | C = ρ(C)}. Every Galois insertion (O, α, γ, O]_{), and so every abstract domain of O, is uniquely identifiable with an}

upper closure operator γ ◦ α on O. The converse also holds, namely every upper closure operator ρ induces a Galois insertion (O, ρ, id, ρ(O)). So there is a one-to-one correspon- dence between upper closure operators and abstract domains defined by Galois insertions. If hO, v, t, u, ⊥, >i is a complete lattice then huco(O), ˙v, ˙t, ˙u, λC . C, λC . >i, where uco(O) denotes the set of all upper closure operators on O, is the lattice of abstract interpretations of O. This is the complete lattice of all possible abstract domains of O. The partial order ˙v is used to compare domains: ρ1is more precise than ρ2if and only if ρ1 v ρ˙ 2, namely if and only if ρ2(O) ⊆ ρ1(O).

16 16

Chapter 2. Mathematical Background M. Pasqua