Fixpoint Computations

Very often, the objects of interest are the result of a fixpoint computation, namely they are (usually the least or the greatest) fixpoints of some functions. For instance, this is the case for many formulations of programs semantics. Not all functions admit fixpoints: some as- sumptions are needed in order to apply one of the fixpoint theorems presented in Subsec- tion2.1.5. In the rest of the thesis we assume to deal with objects computable by means of functions which admit a fixpoint. Indeed, we only deal with objects which are constructive, as explained in the following definition.

A mathematical object is said to be constructive, i.e. expressible in fixpoint form, if there exists a computational fixpoint definition3_{, computing it.}

Definition 5(Computational Fixpoint Definition). hF, D, ⊥pi is a computational fixpoint defini-

tion when D = hD, ≤, ∨i is a POSET with partial least upper bound operator ∨ ∈ ℘(D) ,−→ D, F ∈ D −→ D is ≤-monotone, ⊥p is a pre-fixpoint of F and F is ∨-iteratable on ⊥p. The object computed is lfp≤

⊥pF ∈ D. Remark. lfp≤

⊥pF always exists, applying Theorem3. We can use this latter even if D is not a

CPO, since F is supposed to be ∨-iteratable and hence the least upper bound of its iterates does exist.

Then an object D is constructive when there exists a computational fixpoint definition hF , D, ⊥pi, with D = hD, ≤, ∨i, such that D = lfp≤

⊥pF . By definition, lfp ≤

⊥pF is the limit of

the increasing iterates of F starting from ⊥p, namely lfp≤ ⊥pF = F

λ_{, for a limit ordinal λ (see} Definition4).

Remark. Usually, D is at least a CPO (in this case monotonicity implies that F is iteratable),

nevertheless, the least upper bound needs to be defined for the iterates of F, not for every directed subset of D. If D is a CPO, the pre-fixpoint is usually chosen to be the minimum.

In abstract interpretation, we assume that a concrete object C ∈ O is computed by means of a computational fixpoint definition hF, O, ⊥i, with O = hO, v, ti. In particular C is the v-least fixpoint of F greater than ⊥ and it is computed as C =F

n<λF

n_{(⊥). Similarly, we} assume that an abstract object A ∈ O]_{is computed by means of a computational fixpoint}

definition hF]

, O]_{, ⊥}]

i, with O] _{= hO}]_{, v}]_{, t}]_{i. In particular A is the v}]_{-least fixpoint of F}]

greater than ⊥]_{and it is computed as A =}F]

n<δF

]n_(⊥]_{). These domains are called computa-} tional domains since they are useful for computing objects. Usually, v is called computational

order and v]_{is called abstract computational order. These latter may, or may not, be equal}

to the approximation orders. In the following, for simplicity of exposure, we assume that computational and approximation orders coincide, hence we let 4 be equal to v and 4]_be

equal to v]_{. We wanted to explicit this difference here because, in some cases, as we will see}

in some chapters, the domain of computation is different from the one in which we compare objects w.r.t. precision.

The abstract interpretation framework allows us to systematically derive the abstract op- erator F]_{, computing A, starting from the definition of the concrete operator F , computing}

C, such that A is correct approximation of C. We can do the same also when we have com- putations involving fixpoints exploiting approximation and transfer theorems. In the fol- lowing theorems let hF, O, ⊥i, with O = hO, v, ti, and hF]

, O]_{, ⊥}]

i, with O] _{= hO}]_{, v}]_{, t}]_i,

be concrete and abstract computational fixpoint definitions.

M. Pasqua 2.2. Abstract Interpretation

Theorem 4(Kleenian Fixpoint Approximation). Assume that the strict Scott-continuous func-

tion α ∈ O −→ O] _{is such that for every pre-fixpoint C ∈ O there exists C}0 _{v C such that} α(F (C)) v]_F]_(α(C0_{)). Then α(lfp}v

⊥F ) v ]_lfpv]

⊥]F

]_.

Theorem 5(Tarskian Fixpoint Approximation). Suppose that hO, v, t, u, ⊥, >i and hO]_{, v}]

, t]_{, u}]_{, ⊥}]_{, >}]_{i are complete lattices. Assume that the monotone function α ∈ O −→ O}]_{is such that} for every post-fixpoint A] _{∈ O}]_{there exists a post-fixpoint C ∈ O such that α(C) v}] _A]_{. Then}

α(lfpv ⊥F ) v

]_lfpv]

⊥]F

]_.

The first theorem relies on the fact that, each abstract iteration step F]n_(⊥]_{)is a sound}

approximation of the corresponding concrete iteration step Fn_{(⊥). Passing to the limit,} we obtain that the limit of the abstract iterations chain is a sound approximation of the concrete iteration chain. The second theorem, instead, exploits the fact that lfpv

⊥F is the

smallest post-fixpoint and the fact that a post-fixpoint of a sound abstract function is a sound approximation of a post-fixpoint of the concrete function.

When we require exactness, in this cases backward completeness, we can use the follow- ing transfer theorems.

Theorem 6(Kleenian Fixpoint Tranfser). Assume that the strict Scott-continuous function α ∈ O −→ O]_{satisfies the commutation condition F}]_{◦ α = α ◦ F . Then we have α(lfp}v

⊥F ) = lfp v]

⊥]F

]_.

Theorem 7(Tarskian Fixpoint Transfer). Assume hO, v, t, u, ⊥, >i and hO]_{, v}]_{, t}]_{, u}]_{, ⊥}]_{, >}]_i complete lattices. Assume that the co-additive function α ∈ O −→ O]_{satisfies the commutation}

inequality F]_{◦ α v}]_{α ◦ Fand that for each post-fixpoint A ∈ O}]_{there exists a post-fixpoint C ∈ O} such that α(C) = A. Then α(lfpv

⊥F ) = lfp v]

⊥]F

]_.

In Theorems4 and6Scott-continuity is a too strong hypothesis, since in the proof of [Cousot,2002] the author only uses the fact that α preserves the lub of the iterates of F starting from ⊥.

2.2.2.1 Fixpoint Extrapolation

Even if a fixpoint of a function exists, it is not always the case that the iteration sequence computing it converges in finite time. Indeed, Theorem3guarantees that lfpv

⊥F = F

λ_{, for a} limit ordinal λ, but this latter could be transfinite. Note that in the concrete case we have that the computation does not converge in finite time, this is why we need to move to the abstract domain. Nevertheless, we can have infinite computations also in the abstract domain, for instance when this latter has infinite ascending chains. Indeed, we seek an abstract element such that lfpv]

⊥]F

] _{= F}]β_{, with β < ω, meaning that lfp}v]

⊥]F

] ₌F]

n<mF

]n_(⊥)

, with m ∈ N. We have that the iteration reaches the fixpoint in finite time when O] _{is finite or when it}

satisfies the ACC condition. When this is not the case, a classic example is the intervals domain, we need an extrapolation operator forcing convergence (and so termination).

Widening. A widening is a binary operator used to enforce or accelerate the convergence of increasing iteration sequences over abstract domains with infinite or finite but too long ascending chains. Let hX, ≤i a POSET, a widening O ∈ X × X −→ X is an operator satisfying two constraints. First, it must compute upper bounds, namely for every x, y ∈ X we must have that x ≤ x O y and y ≤ x O y. Second, for every increasing chain x0 ≤ x1 ≤ . . . ≤

18 18

Chapter 2. Mathematical Background M. Pasqua

xn ≤ . . ., the increasing chain y0, x0 ≤ y1, y0O x1≤ . . . yn , yn−1O xn ≤ . . . stabilizes in a finite number of steps, that is ∃k ∈ N . yk = yk−1. Basically, if xi are the iterates of the abstract funtion f in the abstract domain, the widening uses two consecutive iterates yi and f (yi)in order to obtain the next iteration yi+1. In this way, the widening computes in finite time a post-fixpoint of the abstract function and, in turn, an approximation of the least fixpoint of the concrete function.