Appendix A

Partially Ordered Sets

Partially ordered sets and complete lattices play a crucial role in program analysis and in this appendix we shall summarise some of their properties. We review the basic approaches for how to construct complete lattices from other complete lattices and state the central properties of partially ordered sets satisfying the Ascending Chain and Descending Chain Conditions. We then review the classical results about least and greatest fixed points.

A.l Basic Definitions

Partially ordered set. A partial ordering is a relation ~: L x L ---+ { true,fa.lse} that is reflexive (i.e. Vl : l ~ l), transitive (i.e. Vh, l2, b : h ~ l2 A l2 ~ l3 ==> h ~ la), and anti-symmetric (i.e. Vh, h : h ~ l2 Ah ~ h ==> h = l2). A partially ordered set (L, ~) is a set L equipped with a partial ordering ~ (sometimes written ~L). We shall write h ;;;;) h for h ~ l2 and h C l2 for h ~ h A h =1- l2. A subset Y of L has l E L as an upper bound if Vl' E Y : l' ~ l and as a lower bound if Vl' E Y : l' ;;;;) l. A least upper bound l of Y is an upper bound of Y that satisfies l ~ lo whenever lo is another upper bound of Y; similarly, a greatest lower bound l of Y is a lower bound of Y that satisfies lo ~ l whenever lo is another lower bound of Y. Note that subsets Y of a partially ordered set L need not have least upper bounds nor greatest lower bounds but when they exist they are unique (since ~ is anti-symmetric) and they are denoted UY and nY, respectively. Sometimes U is called the join operator and n the meet operator and we shan write h u t2 for U{h, t2} and similarly h n b for n{h, b}.

Complete lattice. A complete lattice L = (L, ~) = (L, ~. U, n, _1_, T) is a partially ordered set (L, ~) such that all subsets have least upper bounds 394 A Partially Ordered Sets

{2,3} {3}

{3} {2,3}

(a)

Figure A.l: Two complete lattices. as well as greatest lower bounds. Furthermore, _l = U0 = nL is the least element and T = n0 = U L is the greatest element.

Example A.l If L = (P(S), ~)for some set S then ~ is ~ and UY = UY, nY = nY, j_ = 0 and T = s. If L = (P(S), 2) then ~ is 2 and UY = nY, nY = UY, j_ = s and T = 0. Hence (P(S), ~) as well as (P(S), 2) are complete lattices. In the case where S = {1, 2, 3} the two complete lattices are shown on Figure A.l; these draw• ings are often called Hasse diagrams. Here a line "going upwards" from some h to some l2 means that h ~ l2; we do not draw lines that follow from reflexivity or transitivity of the partial ordering. •

Lemma A.2 For a partially ordered set L = (L, ~) the claims

(i) L is a complete lattice,

(ii) every subset of L has a least upper bound, and

(iii) every subset of L has a greatest lower bound are equivalent. • Proof Clearly (i) implies (ii) and (iii). To show that (ii) implies (i) let Y ~ L and define

(A.l)

and let us prove that this indeed defines a greatest lower bound. All the elements of the set on the right hand side of (A.l) are lower bounds of Y so clearly (A.l) defines a lower bound of Y. Since any lower bound of Y will be in the set it follows that (A.l) defines the greatest lower bound of Y. Thus (i) holds. A.l Basic Definitions 395

To show that (iii) implies (i) we define UY = n{l E L 1 Vl' E y : l' ~ l}. Arguments analogous to those above show that this defines a least upper bound and that (i) holds. •

Moore family. A Moore family is a subset Y of a complete lattice L = (L, ~) that is closed under greatest lower bounds: VY' ~ Y: nY' E Y. It follows that a Moore family always contains a least element, nY, and a greatest element, n0, which equals the greatest element, T, from L; in particular, a Moore family is never empty.

Example A.3 Consider the complete lattice (P(S), ~)of Figure A.l (a). The subsets

{{2}, {1, 2}, {2, 3}, {1, 2, 3}} and {0, {1, 2, 3}} are both Moore families, whereas neither of

{ {1 }, {2}} and {0, {1 }, {2}, {1, 2}} are. •

Properties of functions. A function f : L1 ~ L 2 between partially ordered sets L1 = (L1, ~1) and L2 = (L2, ~2) is surjective (or onto or epic) if

and it is injective ( or 1-1 or manie) if

Vl,l' E L1: f(l) = f(l')::::} l = l'

The function f is monotone (or isotone or order-preserving) if

\Il, l' E L1 : l ~1 l' ::::} f(l) ~2 f(l')

It is an additive function (or a join morphism, sometimes called a distributive function) if

and it is called a multiplicative function (ora meet morphism) if

The function f is a completely additive function (or a complete join mor• phism) if for all Y ~ L1: 396 A Partially Ordered Sets and it is completely multiplicative (or a complete meet morphism) if for all Y ~ L1:

f(nlY) = n2{f(l') Il' E Y} whenever nly exists

Clearly U1 Y and n1Y always exist when L1 is a complete lattice; when L2 is not a complete lattice the above statements also require the appropriate least upper bounds and greatest lower bounds to exist in L2 . The function f is affine if for all non-empty Y ~ L1 J(U lY) = u2{f(l') Il' E Y} whenever uly exists (and y-=!= 0) and it is strict if f(l_l) = 1_ 2 ; note that a function is completely additive if and only if it is both affine and strict.

Lemma A.4 If L = (L, !;::;, u, n, 1_, T) and M = (M, !;::;, u, n, 1_, T) are complete lattices and M is finite then the three conditions

(i) 'Y : M --+ L is monotone, (ii) 'Y(T) = T, and

(iii) 1(m1 n m2) = 'Y(ml) n 1(m2) whenever m 1 g m2 1\ m2 g m 1 are jointly equivalent to 'Y : M --+ L being completely multiplicative. •

Proof First note that if 'Y is completely multiplicative then (i), (ii) and (iii) hold. For the converse note that by monotonicity of"'( we have 7(m1nm2) = 1(m1)n"Y(m2) also when m1 [;;:; m2 V m2 [;;:; m1. We then prove by induction on the (finite) cardinality of M' ~ M that: (A.2)

If the cardinality of M' is O then (A.2) follows from (ii). If the cardinality of M' is larger than O then we write M' = M" U {m"} where m" f:_ M"; this ensures that the cardinality of M" is strictly less than that of M'; hen ce: "Y((IlM") n m") "Y(I-IM") n 1(m")

(1-1 {"Y(m) 1 m E M"}) n "Y(m")

1-lh(m) 1 m E M'} This proves the result. •

Lemma A.5 A function f : (P(D), ~) --+ (P(E), ~) is affine if and only if there exists a function 'P : D --+ P(E) and an element 'P0 E P(E) such that

f(Y) = U{'P(d) 1 dE Y} U 'P0 The function f is completely additive if and only if additionally 'P0 = 0. • A.2 Construction of Complete Lattices 397

Proof Suppose that f is of the form displayed and let Y be a non-empty set; Then

UU(Y) 1 y E Y} u{u{'P(d) 1 dE Y} U 'P0 1 Y E Y}

U{U{'P(d) 1 dE Y} 1 Y E Y} U 'P0

u{'P(d) 1 dE uY} u 'P0

f(UY) showing that f is affine. Next suppose that fis affine and define 'P(d) = f({d}) and 'P0 = !(0). For

Y E P(D) let Y = {{d} 1 dE Y} U {0} and note that Y = UY and Y =10. Then

J(Y) J(UY)

u({f({d}) 1 dE Y} U {!(0)})

u({'P(d)) 1 dE Y} U {'P0})

u{'P(d) 1 dE Y} U 'P0 so f can be written in the required form. The additional statement about com• pletely additivity is straightforward. •

An isomorphism from a partially ordered set (L1, ~1) to a partially ordered set (L2, ~ 2 ) is a monotone function (} : L1 -t L2 such that there exists a (necessarily unique) monotone function o- 1 : L2 -t L1 with (}o o- 1 = id2 and o- 1 o(}= id1 (where idi is the identity function over Li, i = 1, 2).

A.2 Construction of Complete Lattices

Complete lattices can be combined to construct new complete lattices. We shall first see how to construct products and then two kinds of function spaces.

Cartesian product. Let L1 = (L1. ~1) and L2 = (L2, ~2) be partially ordered sets. Define L = (L, ~) by

and (ln, l21) ~ (h2, l22) iff ln ~1 h2 1\ h1 ~2 b It is then straightforward to verify that L is a partially ordered set. If ad• ditionally each Li = (Li, ~i, Ui, ni, .li, Ti) is a complete lattice then so is L = (L, ~, U,n, .l, T) and furthermore 398 A Partially Ordered Sets and ..l = (..l1, ..l2) and similarly for nY and T. We often write L1 x L2 for L and call it the cartesian product of L1 and L2 . A variant of the cartesian product called the smash product is obtained if we require that all the pairs (h, b) of the lattice satisfy h = ..l1 {:} l2 = ..l2.

Total function space. Let L1 = (L1 , ~ 1 ) be a partially ordered set and let S bea set. Define L = (L, ~) by

L = {! : S ---t L1 1 f is a total function} and f ~ !' iff Vs E S: f(s) ~1 /'(s) It is then straightforward to verify that L is a partially ordered set. If additionally L1 = (L1, ~ 1, U1, n 1, ..l1, T 1) is a complete lattice then so is L = (L, ~. U, n, ..l, T) and furthermore

UY = .>.s.Ul{J(s) 1 f E Y} and ..l = .>.s ...l1 and similarly for nY and T. We often write S ---t L1 for L and call it the total function space from S to L1.

Monotone function space. Again let L1 = (L1, ~ 1 ) and L 2 (L2, ~2) be partially ordered sets. Now define L = (L, ~) by

L = {f : L1 ---t L2 1 f is a monotone function} and f ~ f' iff Vh E L1: /(h) ~2 J'(h) It is then straightforward to verify that L is a partially ordered set. If ad• ditionally each Li = (Li, ~i, Ui, ni, ..li, Ti) is a complete lattice then so is L = (L, ~. U,n, ..l, T) and furthermore

UY = .Xh.Ud!(h) 1f E Y} and ..l = .Xh ...l2 and similarly for nY and T. We often write L1 ---t L2 for L and call it the monotone function space from L1 to L2.

A.3 Chains

The ordering ~ on a complete lattice L = (L, ~) expresses when one prop• erty is better (or more precise) than another property. When performing a program analysis we will typically construct a sequence of elements in L and it is the general properties of such sequences that we shall study now. In the next section we will be more explicit and consider the sequences obtained during a fixed point computation. A.3 Chains 399

Chains. A subset Y <;;; L of a partially ordered set L = (L, [;;;) is a chain if Vh, b E Y: (h [;;; b) V (l2 [;;; h) Thus a chain is a (possibly empty) subset of L that is totally ordered. We shall say that it is a finite chain if it is a finite subset of L. A sequence (ln)n = (ln)nEN of elements in L is an ascending chain if

Writing (ln)n also for {ln 1 nE N} it is clear that an ascending chain also is a chain. Similarly, a sequence (ln)n is a descending chain if

and clearly a descending chain is also a chain. We shall say that a sequence (ln)n eventually stabilises if and only if

3no E N : Vn E N : n ~ no =} ln = ln 0

For the sequence (ln)n we write Un ln for U{ln 1 n E N} and similarly we write nnln for n{tn 1 nE N}. Ascending Chain and Descending Chain Conditions. We shall say that a partially ordered set L = (L, [;;;) has finite height if and only if all chains are finite. It has finite height at most h if all chains contain at most h + 1 elements; it has finite height h if additionally there is a chain with h + 1 elements. The partially ordered set L satisfies the Ascending Chain Condition if and only if all ascending chains eventually stabilise. Similarly, it satisfies the Descending Chain Condition if and only if all descending chains eventually stabilise. These concepts are related as follows:

Lemma A.6 A partially ordered set L = (L, [;;;) has finite height if and only if it satisfies both the Ascending and Descending Chain Conditions. •

Proof First assume that L has finite height. If (ln)n is an ascending chain then it must be a finite chain and hence eventually stabilise; thus L satisfies the Ascending Chain Condition. In a similar way it is shown that L satisfies the Descending Chain Condition. Next assume that L satisfies the Ascending Chain Condition as well as the Descend• ing Chain Condition and consider a chain Y ~ L. We shall prove that Y is a finite chain. This is obvious if Y is empty so assume that it is not. Then also (Y, !;;;;) is a non-empty partially ordered set satisfying the Ascending and Descending Chain Conditions. As an auxiliary result we shall now show that

each non-empty subset Y' of Y contains a least element (A.3) 400 A Partially Ordered Sets

• o 1• 00 • -1

• -2 • 2 • 1 1._00 • o

(a) (b)

Figure A.2: Two partially ordered sets.

To see this we shall construct a descending chain (l~)n in Y' as follows: first let l~ be an arbitrary element of Y'. For the inductive step let l~+ 1 = l~ if l~ is the least element of Y'; otherwise we can find l~+ 1 E Y' such that l~+ 1 !;;; l~ 1\ l~+ 1 "Il~. Clearly (l~)n is a descending chain in Y; since Y satisfies the Descending Chain Condition the chain will eventually stabilise, i.e. 3n~ : Vn ~ n~ : l~ = l~, and the o construction is such that l~, is the least element of Y'. o Returning to the main proof obligation we shall now construct an ascending chain (ln)n in Y. Using (A.3) each ln is chosen as the least element of the set Y \ {lo, · · ·, ln-1} as long as the latter set is non-empty, and this yields ln-1 !;;; ln 1\ ln-1 "lln; when Y \ {lo, · · ·, ln-1} is empty we set ln = ln-1, and since Y is non• empty we know that n > O. Thus we have an ascending chain in Y and using the

Ascending Chain Condition we have 3no : \In ~ no : ln = ln 0 • But this means that

Y \ {lo, · · ·, ln0 } = 0 since this is the only way we can achieve that lno+1 = ln 0 • It follows that Y is finite. •

Example A. 7 The partially ordered set of Figure A.2 (a) satisfies the Ascending Chain Condition but does not have finite height; the partially ordered set of Figure A.2 (b) satisfies the Descending Chain Condition but does not have finite height. •

One can show that each of the three conditions finite height, ascending chain, and descending chain, is preserved under the construction of cartesian prod• uct: if L1 and L2 satisfies one of the conditions then L1 x L2 will also satisfy that condition. The construction of total function spaces S --+ L only pre• serves the conditions of L if S is finite and the construction of monotone function spaces L1 --+ L2 does not in general preserve the conditions. An alternative characterisation of complete lattices satisfying the Ascending Chain Condition is given by the following result: A.3 Chains 401

Lemma A.8 For a partially ordered set L = (L, ~) the conditions

(i) L is a complete lattice satisfying the Ascending Chain Condition, and (ii) L has a least element, .l, and binary least upper bounds and satisfies the Ascending Chain Condition are equivalent. • Proof It is immediate that (i) implies (ii) so let us prove that (ii) implies (i). Using Lemma A.2 it suffices to prove that all subsets Y of L have a least upper bound UY. If Y is empty clearly UY = .l. If Y is finite and non-empty then we can write Y = {y1, · · ·, Yn} for n ~ 1 and it follows that UY = (· · · (y1 Uy2) U · · ·) Uyn. If Y is infinite then we construct a sequence (ln)n of elements of L: let la be an arbitrary element yo of Y and given ln take ln+l = ln in the case where Vy E Y : y [;;;; ln and take ln+l = ln U Yn+l in the case where some Yn+l E Y satisfies Yn+l lb ln. Clearly this sequence is an ascending chain. Since L satisfies the Ascending Chain Condition it follows that the chain eventually stabilises, i.e. there exists n such that ln = ln+l = · · ·. This means that Vy E Y : y [;;;; ln because if y lb ln then ln =1- ln U y and we have a contradiction. So we have constructed an upper bound for Y. Sin ce it is actually the least upper bound of the subset {yo, · · ·, Yn} of Y it follows that it is also the least upper bound of Y. •

A related result is the following:

Lemma A.9 For a complete lattice L = (L, ~) satisfying the Ascending Chain Condition and a total function f : L ---t L, the conditions

(i) fis additive, i.e. Vh, 12 : /(h U 12) = f(h) U J(l2), and

(ii) f is affine, i.e. VY ~ L, Y =1- 0 : /(U Y) = U{!(l) Il E Y} are equivalent and in both cases f is a monotone function. • Proof It is immediate that (ii) implies (i): take Y = {h, b}. It is also immediate that (i) implies that f is monotone since h [;;;; l2 is equivalent to h U l2 = l2. Next suppose that f satisfies (i) and let us prove (ii). If Y is finite we can write Y = {y1, · · · , Yn} for n ~ 1 and

f(U Y) = f(Yl u ... u Yn) = f(y!) u ... u f(yn) [;;;; UU(l) Il E Y}

If Y is infinite then the construction of the proof of Lemma A.8 gives UY = ln and ln = Yn U · · · Uyo for some Yi E Y and O::::; i::::; n. We then have

f(U Y) = f(ln) = f(yn u · · · u Yo) = f(yn) u · · · u f(yo) [;;;; UU(l) Il E Y} Furthermore f(u Y) ;;;) uu(l) Il E Y} follows from the monotonicity of f. This completes the proof. • 402 A Partially Ordered Sets

A.4 Fixed Points

Reductive and extensive functions. Consider a monotone func• tion f : L--+ L on a complete lattice L = (L, ~' U, n, .l, T). A fixed point of f is an element l E L such that f(l) = l and we write

Fix(!)= {li f(l) = l} for the set of fixed points. The function f is reductive at l if and only if f(l) ~ l and we write

Red(f) = {l 1 f(l) ~ l} for the set of elements upon which f is reductive; we shall say that f itself is reductive if Red(f) = L. Similarly, the function f is extensive at l if and only if f(l) ;;::1 l and we write

Ext(f) ={li f(l) ;;::1 l} for the set of elements upon which f is extensive; we shall say that f itself is extensive if Ext(f) = L. Since L is a complete lattice it is always the case that the set Fix(!) will have a greatest lower bound in L and we denote it by lfp(f):

lfp(f) = nFix(!) Similarly, the set Fix(!) will have a least upper bound in L and we denote it by gfp(f): gfp(f) = U Fix(!)

We then have the following result, known as Tarski's Fixed Point Theorem, showing that lfp(f) is the least fixed point of f and that gfp(f) is the greatest fixed point of f:

Proposition A.lO Let L = (L, ~' U,n, .l, T) bea complete lattice. If f: L--+ Lis a monotone function then lfp(f) and gfp(f) satisfy:

lfp(f) nRed(f) E Fix(!) gfp(f) UExt(f) E Fix(!)

Proof To prove the claim for Jfp(f) we detine lo = nRed(f). We shall first show that f(lo) [;;; lo so that lo E Red(f). Since l0 [;;; l for ali l E Red(f) and f is monotone we have f(lo) [;;; f(l) [;;; l for alll E Red(f) A.4 Fixed Points 403

T

r(T) Red(f)- - - - • nnr(T)

gfp(f)

lfp(f)

Un rCl) Ext(f) - - - - - ...... - r(l-)

l_

Figure A.3: Fixed points of f. and hence f(lo) r;;;; lo. To prove that lo r;;;; f(lo) we observe that f(f(lo)) r;;;; f(lo) showing that f(lo) E Red(f) and hence lo r;;;; f(lo) by definition of lo. Together this shows that lo is a fixed point of f so lo E Fix(!). To see that lo is least in Fix(!) simply note that Fix(!) t;;; Red(f). It follows that lfp(f) = lo. The claim for gfp(f) is proved in a similar way. • In denotational semantics it is customary to iterate to the least fixed point by taking the least upper bound of the sequence (fn ( l_)) n. However, we have not imposed any continuity requirements on f (e.g. that f (Un ln) = Un (f (ln)) for all ascending chains (ln)n) and consequently we cannot be sure to actually reach the fixed point. In a similar way one could consider the greatest lower bound of the sequence (r(T))n· One can show that

l_ ~ r(l_) ~ Unr(l_) c:: lfp(f)

C:: gfp(f) ~ nnf~(T) ~ r(T) ~ T

as is illustrated in Figure A.3; indeed all inequalities (i.e. ~) can be strict (i.e. c::). However, if L satisfies the Ascending Chain Condition then there exists n such that r ( l_) = r+ 1 ( l_) and hence lfp(f) = r ( l_). (Indeed any monotone function f over a partially ordered set satisfying the Ascending Chain Condition is also continuous.) Similarly, if L satisfies the Descending Chain Condition then there exists n such that r(T) = r+1 (T) and hence gfp(f) = r(T). 404 A Partially Ordered Sets

Remark (for readers familiar with ordinal numbers). It is possible always to obtain lfp(f) as the limit of an ascending (transfinite) sequence but one may have to iterate through the ordinals. To this effect define Ji"' E L for an ordinal K, by the equation

and note that for a natural number n we have Jln = r+l(..L). Then lfp(f) = Ji"' whenever K, is a cardinal number strictly greater than the cardinality of L, e.g. K, may be taken tobe the cardinality of P(L). A similar construction allows to obtain gfp(f) as the limit of a descending (transfinite) chain. •

Concluding Remarks

For more information on partially ordered sets consult a text book (e.g. [43]). Appendix B

Ind uction and Coind uction

We begin by reviewing a number of techniques for conducting inductive proofs. We then motivate the concept of coinduction and finally formulate a general proof principle for coinduction. This makes heavy use of Tarski's Fixed Point Theorem (Proposition A.10).

B.l Proof by Induction

Mathematical induction. Perhaps the best known induction princi• ple is that of mathematical induction. To prove that a property, Q(n), holds for all natural numbers, n, we establish Q(O) 't:/n: Q(n) =? Q(n + 1) and conclude 't:/n: Q(n) Formally, the correctness of mathematical induction can be related to the fact that each natural number is either O or the successor, n + 1, of some other natural number, n. Thus the proof principle reftects the way the natural numbers are constructed.

Structural induction. Mathematical induction allows us to perform induction on the size of any structure for which a notion of size can be defined; this is just a mapping from the structure into the natural numbers. As an example consider an algebraic data type given by

dED

d ::= Base 1 Con1(d) 1 Con2(d, d) 406 B Induction and Coinduction where Base is a base case, Con 1 is a unary constructor and Con 2 is a binary constructor. To prove that a certain property, Q(d), holds for all elements, d, of D we can define a size measure: size(Base) o size( Con 1 (d)) 1 + size(d) size(Con2(d1, d2)) 1 + size( d1) + size( d2) and then proceed by mathematical induction on size(d) to prove Q(d). Alternatively we can conceal the mathematical induction within a principle of structural induction: we must then show Q(Base) \:/d: Q(d) =:;. Q(Con1(d))

\:/d1, d2: Q(dl) A Q(d2) ==? Q(Con2(d1, d2)) from which we conclude \:/d: Q(d) Once again the proof principle reflects the way the data are constructed. lnduction on the shape. Now suppose that Base represents O, that Con 1(d) represents d + 1, and that Con2(d1,d2) represents d1 + d2. We can then define a Natur al Semantics

d-+n for evaluating d into the number, n, it represents:

[base] Base-+ O

Con1(d)-+ n+ 1 d1 -+ n1 d2 -+ n2 Con2(d1, d2)-+ n1 + n2

This defines a notion of evaluation trees, d ~ n: there is one base case ([base]) and two constructors ([con!] and [con2]). Again we can perform induction on the size of the evaluation trees but as above it is helpful to conceal the mathematical induction within a principle of induction on the shape of inference trees: we must show

Q(Base-+ O)

V V d-+nV ) \:/(d-+ n): Q(d-+ n) =:;. Q ( Con1(d)-+n + 1 B.2 Introducing Coinduction 407

from which we conclude V(d .:S n) : Q(d .:S n) As is tobe expected, the proof principle once again reflects the way evaluation trees are constructed.

Course of values induction. All of the above induction principles have been constructive in the sense that we establish a predicate for the base cases and then show that it is maintained by all constructors. A variant of mathematical induction with a different flavour requires proving

Vn: (Vm < n: Q(m)) ==} Q(n) from which we conclude Vn: Q(n) Here the base case is dealt with in the same manner as the induction step. This induction principle is called course of values induction.

Well-founded induction. Course of values induction is an instance of a very powerful induction principle called well-founded induction. Given a partially ordered set (D, :::5), the partial ordering is a well-founded ordering if there is no infinite decreasing sequence dl >- d2 >- d3 >- ... where d >- d' means d' :::5 d 1\ d -::f d' - this amounts to the Descending Chain Condition studied in Appendix A. The principle of well-founded induction then says: if we show Vd: (Vd' -< d: Q(d')) '* Q(d) we may then conclude Vd: Q(d) (The proof of correctness of this principle is along the lines of the proof of (A.3) in Lemma A.6 and can be found also in the literature referenced below.)

B.2 Introducing Coind uction

To explain the difference between induction and coinduction, and to motivate the need for coinductive methods, let us consider a small example. Consider the program 408 B Induction and Coinduction

if /(27, m) then "something good" else "something bad" where f is a function from pairs of natural numbers (i.e. pairs of non-negative integers) to truth values. We want to ensure that the program never undertakes to do "something bad" . Since the value of m is not known it is not feasible to prove that /(27, m) #-false by merely evaluating /(27, m); we therefore need to perform some kind of proof. For this it is natural to define the predicate Qf as follows

Qt(n) iff Vm : f(n, m) #-false where it is implicit that m, n 2: O. Perhaps the most obvious approach is to use mathematical induction to prove 't:/n: Qt(n). This amounts to proving

Qt(O)

't:/n: Qt(n) =} Qt(n + 1) and then concluding 't:/n: Qt(n) from which the desired Qt(27) follows. An alternative presentation of essentially the same idea is to establish the validity of the axiom and rule

and then deduce that 't:/n: Qt(n) Here the basic steps in the mathematical induction have been couched in terms of an inductive definition of the predicate Qf. The approach outlined above works nicely for the function fo defined by

fo(O,m) true fo(n + l,m) fo(n,m) but what about the functions Il, h and /3 defined by !l(O,m) !l(O,m) h(O,m) true h(n + l,m) JI(n,m) h(n+ l,m) h(n + l,m)

/3(0,m) h(O,m) h(n + l,m) h(n+ l,m) B.2 Introducing Coinduction 409 where fi(27, m) never terminates? Intuitively, they should be acceptable in the sense that "something bad" never happens. However, we cannot prove this by induction because we cannot establish the base case (for fi and h) and/or we cannot establish the inductive step (for h and h). An intuitive argument for why fi is acceptable might go as follows: assume that all occurrences of fi on the right hand sides of the above definitions satisfy Qi; then it follows that also the fi on the left hand side does. Hence fi satisfies Qi, i.e. 'Vn : Qi(n). This sounds very dangerous: we assume the desired result in order to prove it. However, with due care and given the proper definition of Qi, this is a valid proof: it is a coinductive proof.

Obtaining a functional. Let us rewrite the defining clauses of fi into clauses for Qi so as to clarify the relationship between when Qi holds on the left hand si de and on the right hand si de of the definitions of fi:

Q0 (0) iff true Ql (O) iff Ql (O) Qo(n + 1) iff Qo(n) Q1(n + 1) iff Q1(n) (B.1) Q2(0) iff true Q3(0) iff Q3(0) Q2(n + 1) iff Q2(n + 1) Q3(n + 1) iff Q3(n + 1)

Here the clauses for Q0 look just like our principle for mathematical induction whereas the others involve some amount of circularity. To make this evident let us rewrite the above as Qi = Qi(Qi) (B.2) where Qo(Q')(O) true Ql(Q')(O) Q'(O) Qo(Q')(n + 1) Q'(n) Ql(Q')(n + 1) Q'(n) (B.3) Q2(Q')(O) true Q3(Q')(O) Q'(O) Q2(Q')(n + 1) Q'(n + 1) Q3(Q')(n + 1) Q'(n + 1) Clearly Qi satisfies (B.1) if and only if it satisfies (B.2) with Qi as in (B.3). It is immediate that each Qi is a monotone function on the complete lattice

(N -+ { true,false}, [;;;) of predicates where Q1 [;;; Q2 means that 'Vn: Q1 (n) =? Q2(n) and where the least element .1 is given by 'Vn : ..l(n) =false and the greatest element T is given by 'Vn: T(n) = true. Using Tarski's Fixed Point Theorem (Proposition A.10) it follows that each Qi has a least fixed point lfp(Qi) and a greatest fixed fixed point gfp( Qi); these are possibly different predicates in (N -+ { true, false},[;;;). We frequently refer to Qi as a functional by which we mean a function whose argument and result are themselves functions (or that are more elaborate structures containing functions in them). 410 B lnduction and Coinduction

Least fixed point. Let us begin by looking at the least fixed points. It follows from Appendix A that

and given that the clauses for Qo(Q) only use a finite number of Q's on the right hand sides (in fact zero or one), Q0 satisfies a continuity property that ensures that

This is good news because our previous proof by mathematical induction essentially defines the predicate uk Qâ(..l): Qâ(..l)(n) holds if and only if at most k axioms and rules suffice for proving Qo (n). Thus it would seem that a proof by induction "corresponds" to taking the least fixed point of Q0 • N ext let us look at Q3. Here

because Q3(..l) = ..l so that ..l is a fixed point. This explains why we have Jfp(Q3)(27) =false and why an inductive proofwill not work for establishing Q3(27). Somewhat similar arguments can be given for Ql and Q2.

Greatest fixed point. Let us next look at the greatest fixed points. Here

because Q3(T) = T so that T is a fixed point. This explains why we have g.tp(Q3)(27) = true and thus provides a formal underpinning for our belief that h will not cause any harm in the example program. Somewhat similar arguments can be given for Ql and Q2.

Also for Q0 it will be the case that g.tp(Q0 )(27) = true. This is of course not surprising since Jfp(Qo)(27) = true and l.tp(Qo) ~ g.tp(Qo). However, it is more interesting to note that for Q0 there is no difference between the inductive and the coinductive approach (unlike what is the case for Q1, Q2 and Q3): lfp( Qo) = g.tp( Qo) because mathematical induction on n suffices for proving that lfp(Qo)(n) = g.tp( Qo)(n ). Remark. To the mathematically inclined reader we should point out that the fact that l.tp(Q0 ) = g.tp(Q0 ) is related to Banach's Fixed Point Theorem: a contractive operator on a complete metric space has a unique fixed point. Contractiveness of Qo (as opposed to Q1, Q2 and Q3) follows because the clause for Q0 (Q)(n) only performs calls to Q on arguments smaller than n. • B.3 Proof by Coinduction 411

B.3 Proof by Coinduction

Consider once again the algebraic data type

dED

d ::= Base 1 Con1(d) 1 Con2(d, d) with one base case, one unary constructor and one binary constructor. Next consider the definition of a predicate

Q : D --+ { true, false} by means of clauses of the form:

Q(Base) iff Q(Con1 (d)) iff · · · Q(d') · · · Q(Con2(d1, d2)) iff · · · Q(d~) · · · Q(d~) · · ·

We can use this as the hasis for defining a functional Q by cases as in: Q(Q')(Base) Q(Q')(Con1(d)) = ... Q'(d') .. . Q(Q')(Con2(d1, d2)) ... Q'(d~) ... Q'(d~) ...

We note that (D --+ { true,false}, !::;;) is a complete lattice under the ordering given by Q1 !::;; Q2 if and only if \/d: Q1 (d) :::} Q2(d). We also

assume that Q is monotone and this means that e.g. a clause like "Q(Con1(d)) iff •Q(d)" will not be acceptable. From Proposition A.lO it follows that Q has a least as well as a greatest fixed point.

Induction (or least fixed point). Consider first the inductive def• inition:

Q = lfp(Q) (B.4)

This is more commonly written as:

.. ·Q(d') ...... Q(d~) ... Q(d;) ... (B.5) Q(Base) Q(Con1(d)) Q(Con2(d1, d2)) It is often the case that each rule only has a finite number of calls to Q and then the two definitions are equivalent: the predicate in (B.5) amounts 412 B lnduction and Coinduction to uk Qk ( j_) and by a continuity property as discussed above, this agrees with the predicate of (B.4). A proof by induction then simply amounts to establishing the validity of the axioms and rules in (B.5). Such a proof has a very constructive fiavour: we take nothing for granted and only believe what can be demonstrated to hold. This proof strategy is often used to reason about semantics because the semantics of a program should not allow any spurious behaviour that is not forced by the semantics.

Coinduction ( or greatest fixed point). Consider next the coin• ductive definition

Q = gfp(Q)

A proof by coinduction then amounts to using the proof rule

Q' [;;;; Q(Q') ( . Q' [;;;; Q(Q')) Q'[;;;;Q 1.e. Q' [;;;; gfp( Q) as follows from the formula for g.tp(Q) given in Proposition A.lO. So to prove Q( d) o ne needs to

find some Q' such that Q'(d) Vd': Q'(d')::::} Q(Q')(d')

Such a proof has a very optimistic fiavour: we can assume everything we like as long as it cannot be demonstrated that we have violated any facts. It is commonly used for checking that a specification holds because the specifica• tion should not forbid some behaviour unless explicitly called for. It sometimes saves a bit of work to use the derived proof rule

Q' [;;;; Q(QUQ') Q'[;;;;Q

To see that this is a valid proof rule suppose that Q' [;;;; Q(Q U Q'). By definition of Q we also have Q [;;;; Q(Q) and by monotonicity of Q this gives Q [;;;; Q(Q U Q'). Hence QuQ' [;;;; Q(QuQ') and Q U Q' [;;;; Q follows by definition of Q. It is then immediate that Q' [;;;; Q as required. Clearly this explanation can be generalised to algebraic data types with ad• ditional base cases and constructors, and from predicates to relations. B.3 Proof by Coinduction 413

Example B.l Consider the relations

R1 : Du x D12 -t { true, false} R2 : D21 x D22 -t { true, false} defined by: R1 = R1 (R1. R2) R2 = R2(R1, R2) This is intended to define

where R(R~,R~) = (R 1 (R~,R~), R2(R~,R~)) is assumed tobe monotone. Next write R' U R" for the relation defined by

and write R' ~ R" for the truth value defined by:

We then have the following version of the coinduction principle: we establish

R'1 C: R1 (R~, R~) R~ c: R2(R~, R~) and conclude: R~ ~ R1 and R~ ~ R2 By analogy with the previous discussion, it sometimes saves a bit of work only to show

R~ C: R1(R1 U R~, R2 U R~) R~ C: R2(R1 U R~, R2 U R~) because we also have

R1 C: R1(R1, R2) C: R1(R1 U R~, R2 U R~) R2 C: R2(R1,R2) C: R2(R1UR~,R2UR~)

and this allows us to conclude

using the definition of (R1. R2) = gfp(R). • 414 B Induction and Coinduction

Example B.2 For an example of a somewhat different flavour consider the universe {0, 1, 2} 00 = {0, 1, 2}* U {0, 1, 2}w where {0, 1, 2}* consists of finite strings (ai)i=l = a 1 ···an of symbols ai E {0, 1, 2} and where {0, 1, 2}w consists of infinite strings (ai)~ 1 = a1 ···an··· of symbols ai E {0, 1, 2}. Concatenation of strings is defined as follows

ak ifk::;n (ai)i=l (bj)'j=l (c )n+m where Ck = { k k=l bk-n if k > n ak ifk::;n (ai)i=l (bj )'t=l (ck)~l where Ck = { bk-n if k > n (ai)~l (bj)j·~l (ck)~l where Ck = ak

(where · · · denotes "m" or "oo" in the last formula). Next consider a context free grammar with start symbol S and productions:

S--+OI1IOSI1S

It can be rephrased as an inductive definition

xES xES OES 1 E S Ox E S 1x E S for defining a subset S ~ {0, 1, 2} 00 • If an inductive interpretation is taken, as is usually the case for context free grammars, the set S is {0, 1} + that consists of all strings (ai)i=l that are finite and nonempty (so n > O) and without any occurrence of 2's (i.e. ai E {0, 1} ). If a coinductive interpretation is taken the set S becomes {0, 1} + U {0, 1 }w where also all infinite strings of O's and l's occur. To see this note that the empty string cannot be in S because it is not of one of the forms O, 1, Ox or lx. Also note that no string containing 2 can be in S: a string containing 2 can be written a 1 · · · an2x where ai E {0, 1} and we proceed by induction; for n = O the result is immediate (since none of O, 1, Ox or 1x starts with a 2) and for n >O we note that if a1 · · · an2x E S then a2 · · · an2x E S and by the induction hypothesis this cannot be the case. Finally note that there is no way to exclude infinite strings of O's and 1's to be in S because they can always be written in one of the forms Ox or 1x (where x E {0, l}w). Now suppose we add the production

S--+S

corresponding to the rule: xES xES B.3 Proof by Coinduction 415

When interpreted inductively this does not change the set S; it is stiH {0, 1} +. However, when interpreted coinductively the set S changes dramatically; it is now {0, 1, 2} 00 and thus includes the empty string as well as strings containing 2. To see this simply note that any string x in {0, 1, 2} 00 can be written as x = x and hence no string can be excluded from being inS. •

Concluding Remarks

For more information on induction principles consult a text book (e.g. [16]). It is harder to find good introductory material on coinduction; one possibility is to study the work on strong bisimulation in CCS (e.g. Chapter 4 of [106]). Appendix C

Graphs and Regular Expressions

C.l Graphs and Forests

Directed graphs. A directed graph (or digraph) G = (N, A) consists of a finite set N of nodes (or vertices) and a set A ~ N x N of edges (or arcs). An edge ( n1, n2) has source n1 and target n2 and is said to go from n1 to n 2 ; if n1 = n 2 it is a self-loop. We shall sometimes refer to a directed graph simply as a graph. A directed path (or just path) from a node no to a node nm is a sequence of edges (no, n1), (n1,n2), · · ·, (nm-2, nm-1), (nm-1, nm) where the target of the edge (ni-l> ni) equals the source of the edge (ni, ni+t). The path is said to have source no, target nm and length m ~O; if m =O the path is said tobe trivial and then consists of the empty sequence of edges. The concatenation of the path (no, n1), · · ·, (nm-1, nm) with the path (nm, nm+l), · · ·, (nk-1, nk) is the path (no, nt), · · ·, (nk-1, nk)· We say that n' is reachable from n whenever there is a (possibly trivial) directed path from n ton'.

Example C.l Let S bea statement from the WHILE language of Chapter 2. The forward flow graph (Jabels(S), How(S)) and the backward flow graph (labels(S),Ho~(S)) are both directed graphs. Next let Lab bea finite set of labels and F ~ Lab x Lab a flow relation in the manner of Section 2.3. Then G = (Lab, F) is a directed graph. •

Example C.2 Let e* be a program in the FuN language of Chapter 3 and let N* be the finite set of nodes p of the form C(f) or r(x) where .eE Lab* is a labei in the program and x E Var* is a variable in the program. Let C be 418 C Graphs and Regular Expressions

a set of constraints of the form considered in Section 3.4 and let A* contain the edge (PI.P2) for each constraint P1 ~ P2 in C and the edges (p,p2) and (p1,P2) for each constraint {t} ~ p::::} P1 ~ P2 in C. Then G = (N*,A*) is a directed graph. •

In keeping with the notation used in Chapter 2 we shall usually write a path p = (no, nl), (n1, n2), · · ·, (nm-2, nm-d, (nm-1, nm) as the sequence p = [no, n1, n2, · · ·, nm-2, nm-1, nm] of nodes visited. In this notation the sequence of nodes is never empty and the trivial path from no to no is written [no] whereas a self-loop is written [no, no]. The concatenation of the path [no, n1, · · ·, nm-b nm] with the path [nm, nm+l, · · ·, nk-1, nk] is the path [no, n1, · · ·, nk-1, nk] (where nm does not occur twice). We shall define the set of paths from n to n' as follows:

paths.(n, n') = {[no, · · ·, nm] 1 m 2:: O 1\ no = n 1\ nm = n' 1\ Vi< m: (ni,ni+l) EA}

Cycles. A cycle is a non-trivial path from a node to itself (and may take the form of a self-loop); the set of cycles from a node n to itself is defined as follows:

cycles(n) = {[no, · · ·, nm] 1 m 2:: 1 1\ no = n 1\ nm = n 1\ Vi< m: (ni, ni+1) EA} and we observe that cycles(n) = {p E paths.(n, n) 1 p =f [n]}. A cycle p = [n0, n1, · · ·, nm] is multiple entry if it contains two distinct nodes (not merely distinct indices), ni =f nj, such that there are (not necessarily distinct) nodes n~ and nj external to the cycle with (n~, ni), (nj, nj) EA. A graph that contains no cycles (so Vn E N : cycles(n) = 0) is said to be acyclic. A directed, acyclic graph is often called a DAC. A topological sort of a directed graph is a total ordering of the nodes such that if (n, n') is an edge then n is ordered strictly before n'. A directed graph has a topologica! sort if and only if it is acyclic.

Strongly connected components. Two nodes n and n' are said tobe strongly connected whenever there is a (possibly trivial) directed path from n to n' and a (possibly trivial) directed path from n' to n. Defining

se = {(n, n') 1 n and n' are strongly connected} we obtain a binary relation se~ N X N. Fact C.3 se is an equivalence relation. • Proof Reflexivity follows from the fact that there is a trivial path from any node to itself. Symmetry follows immediately from the definition. Transitivity follows C.l Graphs and Forests 419

from observing that if P12 is a path from n1 to n2 and P23 is a path from n2 to n3 then P12P23 is a path from n1 to n3. • The equivalence classes of SC are called the strong components (or strongly connected components) of the graph G = (N, A). A graph is said to be strongly connected whenever it contains exactly one strongly connected com• ponent.

Example C.4 In uniquely labelled statements of the WHILE language of Chapter 2, the nodes corresponding to the outermost loop in any nested sequence of loops would constitute a strongly connected component; this is true for both forward and backward flow graphs. •

The interconnections between strong components can be represented by the reduced graph. Each strongly connected component is represented by a node in the reduced graph and there is an edge from one node to another distinct node if and only if there is an edge from some node in the first strongly connected component to a node in the second in the original graph. Hence, the reduced graph contains no self-loops.

Lemma C.5 For any graph G the reduced graph is a DAG. • Proof Suppose, by way of contradiction, that the reduced graph contains a cycle [SCo, · · ·, SCm] where SCm = SCo. Since we already observed that the reduced graph contains no self-loops this means that the cycle contains distinct nodes SC; and SCi and we may without loss of generality assume that i < j. That there is an edge from SCk to SCk+l in the reduced graph (O:::; k < m) means that there is an edge (nk, n~+ 1 ) in the original graph from a node nk E SCk to a node n~+l E SCk+l· It is also immediate that there is a path Pk in the original graph from n~ to nk and a path p~ from n:n to no.

We can now construct a path (n;,n~+ 1 )Pi+l" · · (nj-1,nj)pi in the original graph from n; to ni and a path (nj, nj+l)Pi+l · · · (nm-1, n:n)p~(no, nDp1 ···(ni-l, n;)p; from ni ton;. But then n; and ni should be in the same equivalence class thereby contradicting our assumption that SC; # SCi. •

Handles and roots. A handle for a directed graph G = (N, A) is a set H ~ N of nodes such that for all nodes n E N there exists a node h E H such that there is a (possibly trivial) directed path from h to n. A root is a node r E N such that for all nodes n E N there is a (possibly trivial) directed path from r to n. If r is a root for G = (N, A) then { r} is handle for G; in fact, { n} is a handle for G if and only if n is a root. Conversely, if H is a handle for G = (N, A) and r fţ N then r is a root for the graph (NU {r}, AU {(r, h) 1 h E H} ); we sometimes refer to r as a dummy root and to each (r, h) as a dummy edge. 420 C Graphs and Regular Expressions

A directed graph G = (N, A) always has a handle since one can use H =Nas the handle. A handle H is minimal if no proper subset is a handle, that is, if H' C H then H' is not a handle. One can show that minimal handles always exist since the set of nodes is finite. The minimal handle is a singleton if and only if the graph has a root; in this case we say that the graph is rooted.

Example C.6 Let S bea statement from the WHILE language of Chap• ter 2. Then init( S) is a root for (labels( S), flow( S)) and {init( S)} is a min• imal handle. Furthermore, fi.nal(S) is a handle for the backward fl.ow graph (labels( S), flo~ ( S)). •

A path from a handle H to a node n is a path from a node h E H to n; similarly for a path from the root r to a node n. Given a handle H, possibly in the form of a root r (corresponding to H = { r}), the set of paths from H to n is defined by:

path~ (n) = U{paths.(h, n) 1h E H}

When H is implicit we write path.(n) for path~ (n).

Forests and trees. A node n in a graph G = (N, A) is said to have in-degree m if the set of predecessors, {n' 1 ( n', n) E A}, has cardinality m. Similarly, one can define the concept of out-degree. A forest ( or unordered, directed forest) is a directed, acyclic graph G = (N, A) where nodes have in-degree at most 1. One can show that the set of nodes with in-degree O constitutes a minimal handle for the forest. If (n, n') E A then n is said to be the parent of n' and n' is a said to be a child of n; ancestor and descendant are the reflexive, transitive closures of the parent and child relations, respectively. The node n is a proper ancestor of n' if it is an ancestor and n -=f:. n' and similarly for proper descendants. A tree (or unordered, directed tree) is a forest that has a root; in other words, a tree is a forest where exactly one node has in-degree O and this is then the root. Given a forest (N, A) with minimal handle H, each node h E H will be a root for the tree consisting of all the nodes n E N reachable from h and all the edges (n1, n2) E E whose source and target are both in the tree; thus a forest can be viewed as a set of trees. Sometimes we will be interested in ordered forests and ordered trees which are forests and trees where additionally all children of a node are linearly ordered (unlike what is normally the case for graphs, forests and trees).

Dominators. Given a directed graph G = (N, A) with handle H, possi• bly in the form of a root r (corresponding to H = { r}), a node n' is said to be a dominator of a node n whenever every (possibly trivial) path from H to n contains n'. We also say that n' dominates n. As a consequence of the C.2 Reverse Postorder 421

INPUT: A directed graph (N, A) with k nodes and handle H

OUTPUT: (1) A DFSF T = (N,Ar), and (2) a numbering rPostorder of the nodes indicating the reverse order in which each node was last visited and represented as an element of array [N] of int

METHOD: i := k; mark ali nodes of N as unvisited; let Ar be empty; while unvisited nodes in H exists do choose a node h in H; DFS(h);

USING: procedure DFS(n) is mark n as visited; while (n, n') E A and n' has not been visited do add the edge (n, n') to Ar; DFS(n'); rPostorder[n] := i; i := i -1;

Table C.l: The DFSF Algorithm. definition of paths, the only dominator of an element of a minimal handle (such as a root) is the element itself. For any node n the set of dominators can be specified as the greatest solution to the following equation:

{n} ifn E H Dom(n) = { {n} U n{Dom(n') j (n', n) EA} otherwise

The node n' properly dominates the node n if the two nodes are distinct and n' dominates n. The node n' directly dominates the node n if it is the "closest" proper dominator of n; that is n' E Dom( n) \ {n} and for all n" E Dom(n)\{n} we have n" E Dom(n').

C.2 Reverse Postorder

Spanning forests. A spanning forest for a graph is a forest, with the same nodes as the graph and a subset ofthe edges of the graph (see below) as 422 C Graphs and Regular Expressions

Figure C.l: A flow graph. edges. The algorithm of Table C.l non-deterministically constructs a depth• first spanning forest (abbreviated DFSF). In parallel with constructing the forest, the algorithm also generates a numbering of the nodes which is the reverse of the order in which the nodes are last visited in the construction of the tree; this ordering is called the reverse postorder and in the algorithm it is represented as an array indexed by the nodes of the graph. If the DFSF is a tree it is called a depth-first spanning tree (abbreviated DFST). Note that the algorithm does not specify which unvisited node to select at each stage; consequently, the depth-first spanning forest for a graph is not unique. Given a spanning forest one can categorise the edges in the original graph as follows:

• Tree edges: edges present in the spanning forest.

• Forward edges: edges that are not tree edges and that go from a node to a proper descendant in the tree.

• Back edges: edges that go from descendants to ancestors (including self-loops).

• Cross edges: edges that go between nodes that are unrelated by the ancestor and descendant relations.

The algorithm of Table C.l ensures that cross edges always go from nodes visited later (i.e. with lower numbers in the reverse postorder) to nodes visited earlier (i.e. with higher numbers).

Example C. 7 To illustrate the operation of the algorithm, consider the graph in Figure C.l with root b1 . The algorithm may produce the tree shown C.2 Reverse Postorder 423

Figure C.2: A DFSF for the graph in Figure C.l.

in Figure C.2. The reverse postorder of the nodes is b1 , b3, 83, b2, 8 1 ,82 and the second number annotating each node in Figure C.2 reflects this ordering. The edges from 82 to b2 and from 83 to b3 in Figure C.l are back edges. The edge from b3 to 81 is a cross edge. •

Example C.8 Let 8 bea uniquely labelled statement from WHILE and consider the forward flow graph (labels(8), flow(8)) with root init(8). First consider a while loop while b' do 8' in 8. It gives rise to one tree edge and one or more back edges; more precisely as many back edges as there are elements in fina1(8'). Next consider a conditiona! if b' then 8~ else 8~ in 8 that is not the last statement of 8 and not the last statement of the body of a while loop in 8. It gives rise to three tree edges and one or more cross edges; more precisely there will be one fewer cross edges than there are elements in fina1(8n U finaJ(8~). Note that no forward edges can arise for statements in WHILE; however, an extension of WHILE with a one-branch conditiona! if b then 8 can give rise to forward edges. •

Properties. We now establish some properties of reverse postorder. The first lemma shows that the node at the source of a back edge comes later than the target (unless it is a self-loop).

Lemma C.9 Let G = (N, A) bea directed graph, Ta depth-first spanning forest of G and rPostorder the associated ordering computed by the algorithm of Table C.l. An edge (n, n') EA is a back edge if and only if rPostorder[n] ~ rPostorder[n'] and is a self-loop if and only if rPostorder[n] = rPostorder[n']. • Proof The statement about self-loops is immediate. Next let (n, n') EA. (===? ): If (n, n') is a back edge then n is a descendant of n' in T. Consequently, n' is visited before n in the depth first search and the call DFS(n') is pending during the entire call of DFS(n) and consequently rPostorder[n] ~ rPostorder[n']. 424 C Graphs and Regular Expressions

( ~ ): If rPostorder[n] ~ rPostorder[n'] then, either n is a descendant of n' or n' is in a subtree that was constructed later than the subtree that n appears in. In the second case, since ( n, n') E A, it would be a cross edge going from a node with a high reverse postorder number to a node with a low reverse postorder number - since our algorithm does not admit such cross edges, n must be a descendant of n' and thus (n, n') is a back edge. •

Next, we establish that every cycle in a directed graph must contain at least one back edge.

Corollary C.lO Let G = (N, A) be a directed graph, T a depth-first spanning forest of G and rPostorder the associated ordering computed by the algorithm of Table C.l. Any cycle of G contains at least one back edge. •

Proof A cycle is a path [no, · · ·, nm] with no = nm and m ~ 1. Then, since rPostorder[no] = rPostorder[nm], we must have rPostorder[n;] ~ rPostorder[ni+l] for some O ~ i < m. Thus Lemma C.9 applies. •

The ordering rPostorder topologically sorts the depth-first spanning forest.

Corollary C.ll Let G = (N, A) be a directed graph, T a depth-first spanning forest of G and rPostorder the associated ordering computed by the algorithm of Table C.l. Then rPostorder topologically sorts T as well as the forward and cross edges. •

Proof By Lemma C.9, for any edge (n, n'), rPostorder[n] < rPostorder[n'] if and only if the edge is not a back edge, that is, if and only if the edge is a tree edge in T or a forward edge or a cross edge. Thus rPostorder topologically sorts T as well as the forward and cross edges. •

Loop connectedness. Let G = (N, A) bea directed graph with handle H. The loop connectedness parameter of G with respect to a depth-first spanning forest T constructed by the algorithm of Table C.l, is the largest number of back edges found in any cycle-free path of G; we write d(G, T), or d( G) when T is clear from the context, to denote the loop connectedness parameter of a graph. The value of d(G) for the graph in Figure C.l is 1. Let a dominator-back edge be an edge (n1, n2) where the target n2 dominates the source n1. A dominator-back edge (n1, n2) is a back edge regardless of the choice of spanning forest T because the path from H to n1 in T must contain n2 (given that n2 dominates n1). The graph shown in Figure C.3 shows that there may be more back edges than there are dominator-back edges; indeed, it has root r and no dominator-back edges, but any spanning forest T will characterise one of the edges between n1 and n2 as a back edge. The literature contains many definitions of the concept of reducible graph. We shall say that a directed graph G = (N, A) with handle H is reducible Co2 Reverse Postorder 425

Figure C.3: An irreducible grapho if and only if the graph (N, A\ Adb) obtained by removing the set Adb of dominator-back edges is acyclic and stiH has H as handleo The simplest example of an irreducible graph is shown in Figure Co3o Reducible graphs are of interest because for a reducible graph G with handle Hand an arbitrary depth-first spanning forest T, it will be the case (as shown below) that an edge is characterised as a back edge with respect to T if and only if it is a dominator-back edgeo It follows that the loop connectedness parameter is then independent of the choice of depth-first spanning foresto

Lemma C.12 Let G = (N, A) be a reducible graph with handle H, T a depth first spanning forest for G and H, and rPostorder the associated ordering computed by the algorithm of Table Col. Then an edge is a back edge if and only if it is a dominator-back edgeo •

Proof We already argued that a dominator-back edge necessarily is a back edge with respect to To Next suppose by way of contradiction that there is a back edge (n,, nt) that is not a dominator-back edgeo It is clear that the tree edges (i.eo the edges in T) are not back edges and hence not dominator-back edges and therefore they all occur in the graph (N, A\ Adb) constructed aboveo Next let T' be the graph obtained by adding the edge (n,, nt) to T o Then also all edges in T' occur in the graph (N, A \ Adb) o The path in T' from nt to n,, followed by the back edge (n,, nt), constitutes a cycle in T' and hence in (N, A\ Adb)o This contradicts the acyclicity of (N, A\ Adb) and hence the reducibility of Go •

Example C.13 Once more let S bea uniquely labelled statement from WHILE and consider the fiow graph (labels(S),flow(S)) with root init(S)o It is reducible: Each while loop can be entered only at the test node which then dominates all the nodes for the body of the loop and hence all the back edges introduced by the while loop are also dominator-back edgeso Clearly the graph consisting of tree edges, forward edges and cross edges will be acyclico The loop connectedness parameter equals the maximum number of back edges (and hence dominator-back edges) of a cycle-free path in the fl.ow graph; it 426 C Graphs and Regular Expressions

follows that it is equal to the maximum number of nested while loops in the program. •

Another interesting property of rPostorder for reducible graphs is the following result.

Corollary C.14 Let G = (N, A) be a reducible graph with handle H. Any cycle-free path inG beginning with a node in the handle, is monoton• ically increasing by the ordering rPostorder computed by the algorithm of Table C.l. •

Proof Any such path must contain no dominator-back edges and thus by Lemma C.l2 is either a path in the depth-first spanning forest or a sequence of paths from the forest connected by forward or cross edges. The result then follows from Corollary C.ll. •

Other orders. As we have seen, reverse postorder numbers the nodes in the reverse of the order in which they were last visited in the construction of the depth-first spanning forest. Two commonly used alternative orderings on nodes are preorder and breadth-first order; as an example, the preorder for the tree in Figure C.2 is b1,b2,S2,S1,b3,S3 and the breadth-first order is b1, b2, b3, S2, S1, S3. Like reverse postorder, both orders topologically sort the depth-first spanning forest. They also topologically sort forward edges but they do not necessarily topologically sort cross edges. (For preorder, consider the edge from b3 to S1 in the example; for breadth-first order, modify the example to have an additional node between b1 and b3 .) This observation makes reverse postorder the better choice for a number of iterative algorithms.

C.3 Regular Expressions

An alphabet is a finite and non-empty set E of symbols; we shall assume that it is disjoint from the set {A, 0, (, ), +,·,*}of special symbols. A regular expression over E is any expression constructed by the following inductive definition:

1. A and 0 are (so-called atomic) regular expressions. For any a E E, a is a (so-called atomic) regular expression.

2. If R1 and R2 are regular expressions then (R1 + R2), (R1 · R2) and (R1 )* are (so-called compound) regular expressions.

The above definition constructs expressions that are fully parenthesised; by placing a precedence on the operators so that '*' binds more tightly than '·', and '·' binds more tightly than '+', most parentheses can be omitted. Concluding Remarks 427

A string w EE* is a sequence of symbols from E. A language L over E is a set of strings, i.e. L ~ E*. The language defined by a regular expression R is .C[R] defined by:

.C[A] {A} .C[0] 0 .C[a] = {a} for all a E E .C[R1 + R2] .C[R1] U .C[R2] .C[R1 · R2] .C[Rd · .C[R2] 00 .C[R~] u (.C[Rl])k k=O where L1 · L2 = {w1w2 1 w1 E L1 and w2 E L2}, L 0 ={A} and Li+1 =Li· L. Two regular expressions R1 and R2 are equivalent, denoted R1 = R2, if their languages are equal, that is .C[Rd = .C[R2].

A homomorphism from Ei to E2 is a function h : E1 --+ E2 that is extended to operate on words h(a1 ···am)= h(a1) · · · h(am) and on languages h(L) = {h(w) 1 w EL}. It may be extended to operate on regular expressions:

h(0) = 0 h(A) A

if h(a) = b1 · · · bm 1\ m >O h(a) { ~· ... ·bm if h(a) =A h(R1 + R2) h(Rl) + h(R2) h(R1 · R2) h(R1) · h(R2) h(R*) h(R)*

If Ris a regular expression over E1 then it is immediate that h(R) is a regular expression over E2 and that .C(h(R)) = h(.C(R)).

Concluding Remarks

There are a number of good books on graph theoretic concepts; aur presen• tation is based on [48], Chapter 5 of [4], Chapters 3 and 4 of [69], Chapter 10 of [5] and Chapter 7 of [110]. For more information on regular languages consult a text book such as [76]. Index of N otation

214, 219 220 fl [VJ, 246 - 341 r , 22, 285 --fin VIII r re: T , 22 17, 1 • 20 r 1 x , 286 $ -' 324 329, 347 f r e : r & lţ), 24 1= • 309 r, 24 287, 307, 321 'V 226 ")', 15 1 154 2 6 "Y" 237 ( 1 ' 367 L, 69 • 62 tb 66 69 !;;;; • 29 34 L. , 1 6 ;;;;) • 367 î 96 , 91 , 99 100 ~ • 29 A, 344 • 30 2 ~ VIII r : • 22 t/J~ A , 116 r : & ' 24 lţ), 24 287 306, 321 327 335, 343 r '"'-+ • 211 , 219 lţ) !;;;; cp'' 348 r 27, 212 219 lţ) 1 !;;;; '-P2' 29 r ' 154 IPI ~ '{)2, 29 ' 86 - 1T , 284 "" 367 p, 86, 153, 333

O' 15, 300 306 p r. (S, c;)- (S' <;' ), 86 a", 237 p r. {S, c;) - ' 6 {J, 216 306 p 1 X 154 fJ 2 cp, 30 p 11 , 144, 187 191 {J, - !32. 220 p. 86 fJR, 217 (! , 331 {J" 237 lY 332 ll. 91 , 96, 97 99, 100, 191 230 E , 17 6 91 , 191 (1 , 54, 105 [6 t] 96 C1J ""V C12 62 r6,l"Jk, 9 193 (i 327 335 343 6 1 7 ' 86, 244 320 333 f] , 237 c;[M ) 244 430 Index of Notation

<;.,/> 246 c, 11, 144, 187, 193 T, 285, 300 c*, 174 r ~ T', 324, 329, 347 c, 142, 284 1'1 G ~' 298 C~e, 144, 187, 193 7', 24,287,306,321,327,335,343 ce, 191 (), 301 CEnv, 191 ()A F C, 309 ch, 339 ~' 86, 105, 320 Chan, 339 (, 327 clear, 52 close-construct, 153 A, 55, 108 Const, 142, 284 Acp, 73 CP, 102 a, 3 CP, 342 AEentry, 40 cs, 14 AEexit, 40 cycles, 418 AExp*' 39 82 AExp, 3 .Q*, ~' 187 AExp(·), 39 d, 187 AHeap, 111, 114 de, 182 ALoc, 110 d0 p, 183 ALoc(H), 111 Data, 182 ALoc(S), 111 187 Analysis=, 69 D--;-~ Analysis!;;;, 69 DCache, 187 Analysis, 369 def, 52 Analysis, 65 DEnv, 187 AnncA, 343 DOM, 13 Ann, 287 doin, 86, 154, 286, 301 AnnEs, 327 DU, 54 AnnRI, 335 du, 53 AnnsE, 321 E, 69, 341 AState, 110, 114 e1 ---+ e2, 341 AType, 300 e, 142, 283, 339 AV, 101, 317 ee, 331 AVar, 306 EExp, 331 B, 55, 108 empty, 368 b, 3 Env, 86, 153, 333 BExp, 3 ~' 144, 187, 191 BExp(·), 39 EVal, 333 bind-construct, 87, 154 Exp, 142, 283, 339 [B]t, 37 Ext, 223, 402 Blocks*, 38 extract, 368 blocks*, 84 :F, 68 blocks, 36, 83 J, 91 c, 308 :Fcp, 73 Index of Notation 431

[_fl~, 230 killAE, 40 IL 93, 96, 98, 1oo, 101 killLv, 49 killRo, 43 c ' 93, 96, 98, 100, 101 Ilc, r killvB, 46 J;, 91 killx, 117 r;;_, 92 's!.llx.sel, 125

fcx l 92 L, 91 fv, 226 1!, 3, 142 J[A, 115, 116 l~, 225 f., 186 Lab*, 38, 171 h, 68 Lab, 3, 142 /p, 212, 219 labels*, 84 jCP 73 labels, 37, 83 c ' final*, 84 lfp~, 230 final, 36, 83 lfp'V, 227 Fix, 223, 402 lfp, 223, 402 flow*, 84 Loc, 86, 105, 320 flow, 37, 83 Lv=, 60 flo~, 38 LV<:::, 60 FV, 143, 367 LVentry, 50 genAE' 40 LVexit, 50 genLv, 50 MFP, 74 genR0, 43 MOP, 79 geny8, 46 MVP, 90 gfp, 223, 402 N, 55 H, 111, 114 nx, 110 H, 106 n0, 110 Heap, 106 n,3 IAV, 101 Num,3 id, 68, 302 o, 333 ie, 154 Observe, 338 IExp, 154 Offset, 333 inf, 222 Op, 142, 284 infl, 369 op, 182 init*, 84 op, 142, 284 init, 36, 83 opa, 55, 73 insert, 368 apa, 4 inter-flow*, 84 opb, 55 Interval, 221 opb, 4 is, 112, 114 opr, 55 IsShared, 114 opr, 4 it, 154 P*, 82 ITerm, 154 p, 107 JUDGcFA[r f-uL e: T], 299 p f- h 1> [2, 212, 219 432 Index of Notation

p f- VI -vt V2, 211, 219 Stmt, 3 Parity, 244 Store, 86,320,333 path, 79 SType, 306 Pnt, 284 sup, 222 PP, 342 SVal, 333 Proc, 342 [t~'I/J, 367 R- R, 214 t, 142, 367 R1- R2, 219 T~v, 285 Rf3, 217 TEnv, 287 R, 214 Term*, 171 R, 158 Term, 142 f, 332 tr, 13 r, 331, 343 Trace, 13 ran, 86 TrVar~, 134 Range, 248 TVar, 300, 306 RD f- S 1> S', 27 Type, 285 RD, 5 TypecA, 343 RDentry, 43 TypeES' 327 RDexit, 43 TypeR1, 335 Red, 223,402 Type5E, 321 RegcA, 343 ~e[T], 298 RegR1, 331 Type, 287 rn, 331 UcFA, 307 RName, 331 UuL, 302, 305 rPostorder, 375 UD, 54 RVar, 331 ud, 53 S: RD1 ~ RD2, 18 use, 52 S: E :0~ E, 20 V, 159 S: E ~ E, 17 v, 144, 182, 187, 191 s*, 38 v, 153, 293, 333, 341 s, 3 Val, 153, 293, 341 s, 110, 114 §!d, 182 s, 367 Val, 144, 187, 191 SAnn, 306 Var*, 38, 171 SchemecA, 343 Var, 3, 142, 284 SchemeR1, 335 VBentry, 47 Sel, 104 VBexit, 47 sel, 104 vpath, 90 SG,114 WcFA, 309 Shape, 115 w, 74 Sign, 238 WuL, 301 SRD, 13 w, 333 State, 54, 105 (xi ;:;! ti)~ 1 , 367 Statecp, 72 Index

abstract 0-CFA, 147 Available Expressions Analysis, 39 abstract cache, 144, 193 abstract data value, 182 back edge, 422 abstract environment, 144, 191 backward analysis, 66, 85 abstract heap, 111 BANE, 387 Abstract Interpretation, 13, 211 base of origin, 356 abstraction function, 15, 234 basic block, 136 abstract location, 109, 110 behaviour, 344 abstract reachability component, 202 behaviour variable, 344 abstract state, 110 binding time analysis, 356 abstract summary location, 110 Bit Vector Framework, 137, 380, abstract syntax, 4, 142 387 abstract value, 144, 191 abstract worklist algorithm, 369 call-by-name, 207 acceptable 0-CFA, 146 call-by-result, 82 acyclic, 418 call-by-value, 82 additive, 395 Call-Tracking Analysis, 23 adjoint, 239 called procedure, 102 adjunction, 16, 236 call string, 96, 196 affine, 396 cartesian product, 398 alphabet, 426 Cartesian Product Algorithm, 196 ancestor, 420 chain, 399 annotated type, 287, 321, 327, 335 channel, 339 annotated type environment, 287 channel identifier, 339 Annotated Type System, 18, 283 channel pool, 342 annotation, 287, 321, 327, 335 Chaotic Iteration, 25 annotation substitution, 309 child, 420 annotation variable, 306 closure, 153 arc, 417 Closure Analysis, 199 Array Bound Analysis, 221, 247 Code Motion, 54 ascending chain, 399 coinductive definition, 150, 165, 412 Ascending Chain Condition, 67,399 collecting semantics, 13, 266, 277 assigned variable, 101 combination operator, 67 assumption set, 99, 198 Communication Analysis, 339, 343 atomic subtyping, 350 compatible shape graph, 114 augmented type, 300 complete lattice, 393 434 Index completely additive, 395 Descending Chain Condition, 68, completely multiplicative, 396 399 complete path, 89 Detection of Signs Analysis, 91, 183 concrete syntax, 4 DFSF, 422 concretisation function, 15, 234 DFST, 422 conditiona! constraint, 12, 173, 367 digraph, 417 conservative extension, 291 directed graph, 375, 417 Constant Folding, 27, 72, 132 directed path, 417 Constant Propagation Analysis, 72, directly dominates, 421 132, 186, 212, 265, 266 direct product, 254 constraint, 173, 308 direct tensor product, 255 constraint based 0-CFA, 174 distributive, 69, 395 Constraint Based Analysis, 141 Distributive Framework, 69 constraint based approach, 8, 10, dominates, 420 11 dominator, 420 constraint system, 60, 69, 367 d'Ur-chain, 52, 132 context-insensitive, 95, 150, 190 duality, 273 context-sensitive, 95, 190 dynamic dispatch problem, 84, 142 context environment, 191 context information, 91, 191 edge, 417 contravariant, 324 edge array, 179 Control Flow Analysis, 10, 213, 287, effect, 24, 321, 327, 335 288 Effect System, 18 correctness relation, 62, 158, 214, elementary block, 3, 36 241, 260 embellished Monotone Framework, 91 course of values induction, 407 environment, 86, 153, 332 covariant, 324 equality of annotations, 290 cover, 301, 309 equational approach, 5 CPA, 196 equation system, 60, 65, 66, 69, cross edge, 422 366 cycle, 418 equivalent, 427 evaluation context, 341 DAG, 418 eventually stabilises, 399 data array, 179 Exception Analysis, 325 Data Flow Analysis, 5, 35 expression, 142, 283, 339 Dead Code Elimination, 49, 53, 132 extended expression, 331 Definition-Use chain, 52 extended type, 335 definition clear path, 52 extensive, 223, 402 Denotational Semantics, 223, 273 extraction function, 237, 246 depth-first spanning forest, 375, 422 extremallabel, 69 depth-first spanning tree, 422 extremal value, 69, 186 derivation sequence, 57 descendant, 420 faint variable, 136 descending chain, 399 fast, 391 Index 435

fastness closure, 391 induced analysis, 16, 258 FIFO, 374 induction on the shape, 406 finallabel, 36 inductive definition, 165, 408 finite chain, 399 inequation system, 366 first-in first-out, 374 infl.uence set, 369 first-order analysis, 212 initial labei, 36 fixed point, 223, 402 injective, 395 fl.ow, 37, 69 instance, 69, 186, 262 fl.ow-insensitive, 101, 150 instantiation, 329, 338 fl.ow-sensitive, 101 instrumented semantics, 133 fl.ow graph, 37 intermediate expression, 154 fl.ow variable, 365 intermediate term, 154 forest, 420 interprocedural analysis, 82, 196 forward analysis, 66, 85, 115 interprocedural fl.ow, 84, 142 forward edge, 422 intraprocedural analysis, 82 free algebra, 306 isolated entries, 39 free variable, 143 isolated exits, 39 fresh type variable, 302 isomorphism, 397 functional, 409 functional composition, 24 7 join semi-lattice, 67

Galois connection, 16, 234 k-CFA, 191, 198 Galois insertion, 242 generalisation, 329, 337 labei, 37 generalised Monotone Framework, labei consistent, 39 262 last-in first-out, 372 general subtyping, 350 latent effect, 24 generated by, 217 lazy, 207 graph, 417 least element, 394 graph formulation of the constraints, least fixed point, 223, 261, 402 177, 375 least upper bound, 393 greatest element, 394 LIFO, 372 greatest fixed point, 223, 402 live variable, 49 greatest lower bound, 393 Live Variables Analysis, 49 ground substitution, 301, 309 location, 86, 105, 320 ground validation, 309 logical relation, 214, 219 loop connectedness, 380, 424 handle, 375, 419 lower adjoint , 239 heap, 106 lower bound, 393 height, 399 hoisting, 46 materialise, 121 mathematical induction, 405 in-degree, 420 Maximal Fixed Point, 74 independent attribute analysis, 138, may analysis, 66, 115 249 Meet Over all Paths, 78 436 Index

Meet over all Valid Paths, 89 program point, 284 MFP solution, 7 4 proof by coinduction, 412 model intersection property, 162 proof by induction, 412 Modified Post Correspondence Prob- proof normalisation, 312, 362 lem, 79 proper, 420 monotone, 395 properly dominates, 421 Monotone Framework, 68, 391 property space, 67 monotone function space, 253, 398 monotone structure, 186, 275, 355 Reaching Definitions Analysis, 4, Monotone Type System, 355 43 monovariant, 190 reduced graph, 381, 419 Moore family, 136, 162, 172, 215, reduced product, 256 299, 395 reduced tensor product, 256 MOP solution, 78 reducible, 424 multiple entry, 418 reduction operator, 244 multiplicative, 395 reductive, 223, 402 must analysis, 66, 115 reference variable, 319 MVP solution, 89, 90 region, 331, 333, 344 Region Inference, 330 narrowing operator, 230 region name, 331 Natural Semantics, 292 region polymorphic closure, 333 node, 417 region variable, 331 non-free algebra, 306 regular expression, 426 non-trivial expression, 39 relational analysis, 138, 250 representation function, 216, 237, offset, 333 242, 260, 264 open system, 149, 182 reverse flow, 38 optimal analysis, 17, 261 reverse postorder, 375, 422 ordered forest, 420 root, 375, 419 ordered tree, 420 Round Robin Algorithm, 378 out-degree, 420 safe approximation, 168 PAG, 387 scaling factor, 356 parent, 420 second-order analysis, 212 partially ordered set, 393 security analysis, 356 partial ordering, 393 selector name, 104 path, 78, 417 self-loop, 417 pointer expression, 104 semantically reaching definitions, polymorphic recursion, 336 13 polymorphism, 327, 329 semantic correctness, 295 polynomial k-CFA, 195, 198 semantics based, 3, 29 polyvariant, 190 semantics directed, 3, 29 procedure call graph, 102 sequential composition, 247 process, 339 Set Based Analysis, 198 process pool, 342 set constraints, 201, 387 Index 437 sets of states analysis, 265 tree edge, 422 Shape Analysis, 104, 27 4 type, 22, 285, 343 shape conformant subtyping, 324, Type and Effect System, 17, 283 350 type environment, 22, 285 shape graph, 109, 114 type reconstruction, 301, 309 sharing information, 112 type schema, 327, 335, 344 Sharlit, 387 type substitution, 308 Side Effect Analysis, 320 type variable, 300, 306 simple annotation, 306 typing judgement, 286, 288, 321, simple substitution, 307 329, 336, 345 simple type, 306 simple type environment, 307 UCAl, 291, 306 smash product, 398 ud-chain, 52, 132, 145 Spare, 387 underlying type, 287 state, 54, 105 underlying type system, 284 storable value, 333 unification procedure, 302, 305, 307 store, 86, 320, 333 uniform k-CFA, 191, 193, 198 strict, 396 unit, 356 strong component, 381, 419 upper adjoint, 239 strongly connected, 381, 419 upper bound, 393 structural induction, 406 upper bound operator, 225 Structural Operational Semantics, upper closure operator, 270 54, 153 Use-Definition chain, 52, 145 subeffecting, 288, 324, 329, 336, 347 valid path, 89 subject reduction result, 158 value, 153, 293, 341 substitution, 301 vertex, 417 subsumption rule, 19, 21 Very Busy Expressions Analysis, subtyping, 324, 329, 336, 347 46 surjective, 395 well-founded induction, 407 syntactic completeness, 308, 314 well-founded ordering, 407 syntactic soundness, 308, 312 widening operator, 226, 267, 391 syntax directed 0-CFA, 169 worklist, 74, 179, 368, 369 System Z, 387 Y2K, 356 Tarski's Fixed Point Theorem, 402 temporal order, 339 tensor product, 252, 271 term, 142 topologica! sort, 418 total function space, 252, 398 trace, 13, 133 transfer function, 68 transition, 55 tree, 420 Bibliography

[1] M. Abadi, A. Banerjee, N. Heintze, and J. G. Riecke. A core calculus of dependency. In Proc. POPL '99, pages 147-160. ACM Press, 1999.

[2] O. Agesen. The cartesian product algorithm. In Proc. ECOOP'95, volume 952 of Lecture Notes in Computer Science, pages 2-26. Springer, 1995.

[3] O. Agesen, J. Palsberg, and M. Schwartzbach. Type inference of SELF: Analysis of objects with dynamic and multiple inheritance. In Proc. ECOOP'93, volume 707 of Lecture Notes in Computer Science. Springer, 1993.

[4] A. V. Aho, J. E. Hopcroft, and J. D. Ullman. The Design and Analysis of Computer Algorithms. Addison Wesley, 1974.

[5] A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: Principles, Tech• niques, and Tools. Addison Wesley, 1986. [6] A. Aiken. Set constraints: Results, applications and future directions. In Proc. Second W orkshop on the Principles and Practice of Constraint Programming, volume 874 of Lecture Notes in Computer Science, pages 326-335. Springer, 1994.

[7] A. Aiken. Introduction to set constraint-based program analysis. Sci• ence of Computer Programming, 35(2):79-111, 1999.

[8] A. Aiken, M. Făhndrich, J. S. Foster, and Z. Su. A toolkit for con• structing type- and constraint-based program analyses. In Proc. Types in Compilation, volume 1473 of Lecture Notes in Computer Science, pages 78-96. Springer, 1998.

[9] A. Aiken and E. Wimmers. Type inclusion constraints and type infer• ence. In Proc. FPCA '93, pages 31-41. ACM Press, 1993.

[10] A. Aiken, E. Wimmers, and T.K. Lakshman. Soft typing with condi• tiona! types. In Proc. POPL '94, pages 163-173. ACM Press, 1994. 440 Bibliography

[11] F. E. Allen and J. A. Cocke. A program data flow analysis procedure. Communications of the ACM, 19(3):137-147, 1976.

[12] B. Alpern, M. M. Wegman, and F. K. Zadeck. Detecting equality of variables in programs. In Proc. POPL '88, pages 1-11. ACM Press, 1988.

[13] T. Amtoft, F. Nielson, and H. R. Nielson. Type and Effect Systems: Behaviours for Concurrency. Imperial College Press, 1999.

[14] T. Amtoft, F. Nielson, and H.R. Nielson. Type and behaviour recon• struction for higher-order concurrent programs. Journal of Functional Programming, 7(3):321-347, 1997.

[15] T. Amtoft, F. Nielson, H.R. Nielson, and J. Ammann. Polymorphic subtyping for effect analysis: The dynamic semantics. In Analysis and Verification of Multiple-Agent Languages, volume 1192 of Lecture Notes in Computer Science, pages 172-206. Springer, 1997.

[16] A. Arnold and I. Guessarian. Mathematics for Computer Science. Pren• tice Hall International, 1996.

[17] U. Assmann. How to uniformly specify program analysis and transfor• mation. In Proc. CC '96, volume 1060 of Lecture Notes in Computer Science, pages 121-135. Springer, 1996.

[18] A. Banerjee. A modular, polyvariant, and type-based closure analysis. In Proc. ICFP '97, pages 1-10. ACM Press, 1997.

[19] P. N. Benton. Strictness logic and polymorphic invariance. In Proc. Sec• ond International Symposium on Logical Foundations of Computer Sci• ence, volume 620 of Lecture Notes in Computer Science, pages 33-44. Springer, 1992.

[20] P. N. Benton. Strictness properties of lazy algebraic datatypes. In Proc. WSA '93, volume 724 of Lecture Notes in Computer Science, pages 206-217. Springer, 1993.

[21] S. K. Biswas. A demand-driven set-based analysis. In Proc. POPL '97, pages 372-385. ACM Press, 1997. [22] C. Bodei, P. Degano, F. Nielson, and H. R. Nielson. Control flow analysis for the 1r-calculus. In Proc. CONCUR '98, number 1466 in Lecture Notes in Computer Science, pages 84-98. Springer, 1998.

[23] C. Bodei, P. Degano, F. Nielson, and H. R. Nielson. Static analysis of processes for no read-up and no write-down. In Proc. FOSSACS'99, number 1578 in Lecture Notes in Computer Science, pages 120-134. Springer, 1999. Bibliography 441

[24] F. Bourdoncle. Abstract interpretation by dynamic partitioning. Jour• nal of Functional Programming, 10:407-435, 1992.

[25] F. Bourdoncle. Efficient chaotic iteration strategies with widenings. In Proc. Formal Methods in Programming and Their Applications, volume 735 of Lecture Notes in Computer Science, pages 128-141. Springer, 1993.

[26] R. E. Bryant. Symbolic boolean manipulation with ordered binary decision diagrams. Computing Surveys, 24(3), 1992.

[27] G. L. Burn, C. Hankin, and S. Abramsky. Strictness Analysis for Higher-Order Functions. Science of Computer Programming, 7:249- 278, 1986.

[28] W. Charatonik and L. Pacholski. Set constraints with projections are in NEXPTIME. In Proc. FOCS '94, pages 642-653, 1994.

[29] B. Le Charlier and P. Van Hentenryck. Experimental evaluation of a generic abstract interpretation algorithm for prolog. ACM TOPLAS, 16(1 ):35-101, 1994.

[30] D. Chase, M. Wegman, and F. Zadeck. Analysis of pointers and struc• tures. In Proc. PLDI '90, pages 296-310. ACM Press, 1990.

[31] C. Colby. Analyzing the communication topology of concurrent pro• grams. In Proc. PEPM '95, pages 202-214. ACM Press, 1995.

[32] C. Colby. Determining storage properties of sequential and concurrent programs with assignment and structured data. In Proc. SAS '95, vol• ume 983 of Lecture Notes in Computer Science, pages 64-81. Springer, 1995.

[33] A. Cortesi, G. File, R. Giacobazzi, C. Palamidessi, and F. Ranzato. Complementation in abstract interpretation. In Proc. SAS '95, Lecture Notes in Computer Science, pages 100-117. Springer, 1995.

[34] A. Cortesi, G. File, R. Giacobazzi, C. Palamidessi, and F. Ranzato. Complementation in abstract interpretation. ACM TOPLAS, 19(1):7- 47, 1997.

[35] P. Cousot. Semantics Foundation of Program Analysis. InS. S. Much• nick and N. D. Jones, editors, Program Flow Analysis: Theory and Applications, chapter 10, pages 303-342. Prentice Hall International, 1981.

[36] P. Cousot. Types as abstract interpretations. In Proc. POPL '97, pages 316-331. ACM Press, 1997. 442 Bibliography

[37] P. Cousot and R. Cousot. Abstract Interpretation: a Unified Lattice Model for Static Analysis of Programs by Construction or Approxi• mation of Fixpoints. In Proc. POPL '77, pages 238-252. ACM Press, 1977.

[38] P. Cousot and R. Cousot. Static determination of dynamic properties of generalised type unions. In Conference on Language Design for Reliable Software, volume 12(3) of ACM SIGPLAN Notices, pages 77-94, 1977.

[39] P. Cousot and R. Cousot. Systematic Design of Program Analysis Frameworks. In Proc. POPL '79, pages 269-282, 1979.

[40] P. Cousot and R. Cousot. Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation. In Proc. PLILP '92, volume 631 of Lecture Notes in Computer Science, pages 269-295. Springer, 1992.

[41] P. Cousot and N. Halbwachs. Automatic Discovery of Linear Restraints Among Variables of a Program. In Proc. POPL '78, pages 84-97. ACM Press, 1978.

[42] R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadek. Efficiently computing static single assignment form and the control dependence graph. ACM TOPLAS, 13(4):451-490, 1991.

[43] B. A. Davey and H. A. Priestley. Introduction to Lattices and Or• der. Cambridge Mathematical Textbooks. Cambridge University Press, 1990.

[44] A. Deutsch. On Determining Lifetime and Aliasing of Dynamically Al• located Data in Higher Order Functional Specifications. In Proc. POPL '90, pages 157-169. ACM Press, 1990.

[45] A. Deutsch. Interprocedural may-alias analysis for pointers: Beyond k-limiting. In Proc. PLDI '94, pages 230-241. ACM Press, 1994.

[46] P. H. Eidorf, F. Henglein, C. Mossin, H. Niss, M. H. S0rensen, and M. Tofte. AnnoDomini: From type theory to year 2000 conversion tool. In Proc. POPL '99, pages 1-14. ACM Press, 1999.

[47] M. Emami, R. Ghiya, and L. J. Hendren. Context-sensitive inter• procedural points-to analysis in the presence of function pointers. In Proc. PLDI '94, pages 242-256. ACM Press, 1994.

[48] S. Even. Graph Algorithms. Pitman, 1979.

[49] K.-F. Faxen. Optimizing lazy functional programs using flow inference. In Proc. SAS '95, volume 983 of Lecture Notes in Computer Science, pages 136-153. Springer, 1995. Bibliography 443

[50] K.-F. Faxen. Polyvariance, polymorphism, and flow analysis. In Proc. Analysis and Verijication of Multiple-Agent Languages, volume 1192 of Lecture Notes in Computer Science, pages 260-278. Springer, 1997.

[51] C. Fecht and H. Seidl. An even faster solver for general systems of equations. In Proc. SAS '96, volume 1145 of Lecture Notes in Computer Science, pages 189-204. Springer, 1996.

[52] C. Fecht and H. Seidl. Propagating differences: An efficient new fix• point algorithm for distributive constraint systems. In Proc. ESOP '98, volume 1381 of Lecture Notes in Computer Science, pages 90-104. Springer, 1998.

[53] C. Fecht and H. Seidl. Propagating differences: An efficient new fix• point algorithm for distributive constraint systems. Nordic Journal of Computing, 5:304-329, 1998.

[54] C. Fecht and H. Seidl. A faster solver for general systems of equations. Science of Computer Programming, 35(2):137-161, 1999.

[55] C. N. Fischer and Jr. R. J. LeBlanc. Crafting a Compiler. Ben• jamin/Cummings, 1988.

[56] C. Flanagan and M. Felleisen. Well-founded touch optimizations for fu• tures. Technical Report Rice COMP TR94-239, Rice University, 1994.

[57] C. Flanagan and M. Felleisen. The semantics of future and its use in program optimization. In Proc. POPL '95, pages 209-220. ACM Press, 1995. [58] Y.-C. FUh and P. Mishra. Polymorphic subtype inference: Closing the theory-practice gap. In Proc. TAPSOFT '89, volume 352 of Lecture Notes in Computer Science, pages 167-183. Springer, 1989.

[59] Y.-C. FUh and P. Mishra. Type inference with subtypes. Theoretical Computer Science, 73:155-175, 1990.

[60] K. L. S. Gasser, F. Nielson, and H. R. Nielson. Systematic realisation of control flow analyses for CML. In Proc. ICFP '97, pages 38-51. ACM Press, 1997.

[61] R. Ghiya and L. Hendren. Connection analysis: a practica! interproce• dural analysis for C. In Proc. of the eight workshop on languages and compilers for parallel computing, 1995.

[62] R. Ghiya and L. J. Hendren. Is it a tree, a dag, or a cyclic graph? a shape analysis for heap-directed pointers in C. In G. Kahn, editor, Proc. POPL '96, pages 1-15. ACM Press, 1996. 444 Bibliography

[63) R. Giacobazzi and F. Ranzato. Compositional optimization of dis• junctive abstract interpretations. In Proc. ESOP '96, volume 1058 of Lecture Notes in Computer Science, pages 141-155. Springer, 1996.

[64) R. Giacobazzi and F. Ranzato. Optimal domains for disjunctive ab• stract interpretation. Science of Computer Programming, 32:177-210, 1998.

[65) R. Giegerich, U. Moncke, and R. Wilhelm. Invariance of approximative semantics with respect to program transformations. In Proc. GI - 11. Jahrestagung, volume 50 of Informatik Fachberichte, pages 1-10. Springer, 1981.

[66) P. Granger. Static analysis of arithmetical congruences. International Journal of Computer Mathematics, 30:165-190, 1989.

[67) P. Granger. Static Analysis of Linear Congruence Equalities among Variables of a Program. In Proc. TAPSOFT '91, volume 493 of Lecture Notes in Computer Science, pages 169-192. Springer, 1991.

[68) R. R. Hansen, J. G. Jensen, F. Nielson, and H. R. Nielson. Abstract interpretation of mobile ambients. In Proc. SAS '99, Lecture Notes in Computer Science. Springer, 1999.

[69) M. S. Hecht. Flow Analysis of Computer Programs. North Holland, 1977. [70) N. Heintze. Set-based analysis of ML programs. In Proc. LFP '94, pages 306-317, 1994. [71) N. Heintze. Control-fiow analysis and type systems. In Proc. SAS '95, volume 983 of Lecture Notes in Computer Science, pages 189-206. Springer, 1995. [72) N. Heintze and J. Jaffar. A decision procedure for a class of Herbrand set constraints. In Proc. LICS '90, pages 42-51, 1990.

[73) N. Heintze and J. Jaffar. An engine for logic program analysis. In Proc. LICS '92, pages 318-328, 1992.

[74) Nevin Heintze and Jon G. Riecke. The SLam calculus: Programming with Secrecy and Integrity. In Proc. POPL '98, pages 365-377. ACM Press, 1998.

[75) F. Henglein and C. Mossin. Polymorphic binding-time analysis. In Proc. ESOP '94, volume 788 of Lecture Notes in Computer Science, pages 287-301. Springer, 1994. [76] J. E. Hopcroft and J. D. Ullman. Introduction to Automata Theory, Languages and Computation. Addison Wesley, 1979. Bibliography 445

[77] S. Horwitz, A. Demers, and T. Teitelbaum. An efficient general iterative algorithm for datafiow analysis. Acta Informatica, 24:679-694, 1987.

[78] S. Jagannathan and S. Weeks. Analyzing Stores and References in a Parallel Symbolic Language. In Proc. LFP '94, pages 294-305, 1994.

[79] S. Jagannathan and S. Weeks. A unified treatment of fiow analysis in higher-order languages. In Proc. POPL '95. ACM Press, 1995.

[80] S. Jagannathan and A. Wright. Effective fiow analysis for avoiding run-time checks. In Proc. SAS '95, volume 983 of Lecture Notes in Computer Science, pages 207-224. Springer, 1995. [81] T. P. Jensen. Strictness analysis in logical form. In Proc. FPCA '91, volume 523 of Lecture Notes in Computer Science, pages 352-366. Springer, 1991. [82] T. P. Jensen. Disjunctive strictness analysis. In Proc. LICS '92, pages 174-185, 1992.

[83] M. P. Jones. A theory of qualified types. In Proc. ESOP '92, volume 582 of Lecture Notes in Computer Science, pages 287-306. Springer, 1992. [84] N. D. Jones and S. S. Muchnick. Flow analysis and optimization ofLisp• like structures. In S. S. Muchnick and N. D. Jones, editors, Program Flow Analysis: Theory and Applications, chapter 4, pages 102-131. Prentice Hall International, 1981.

[85] N. D. Jones and S. S. Muchnick. A fiexible approach to interprocedural data fiow analysis and programs with recursive data structures. In Proc. POPL '82, pages 66-74. ACM Press, 1982.

[86] N. D. Jones and F. Nielson. Abstract Interpretation: a Semantics• Based Tool for Program Analysis. In Handbook of Logic in Computer Science volume 4. Oxford University Press, 1995. [87] M. Jourdan and D. Parigot. Techniques for improving grammar fiow analysis. In Proc. ESOP '90, volume 432 of Lecture Notes in Computer Science, pages 240-255. Springer, 1990.

[88] P. Jouvelot. Semantic Parallelization: a practica! exercise in abstract interpretation. In Proc. POPL '87, pages 39-48, 1987.

[89] P. Jouvelot and D. K. Gifford. Reasoning about continuations with control effects. In Proc. PLDI '89, ACM SIGPLAN Notices, pages 218-226. ACM Press, 1989.

[90] P. Jouvelot and D. K. Gifford. Algebraic reconstruction of types and effects. In Proc. POPL '91, pages 303-310. ACM Press, 1990. 446 Bibliography

[91] G. Kahn. Natural semantics. In Proc. STACS'87, volume 247 of Lecture Notes in Computer Science, pages 22-39. Springer, 1987.

[92] J. B. Kam and J. D. Ullman. Global data fiow analysis and iterative algorithms. Journal of the ACM, 23:158-171, 1976.

[93] J. B. Kam and J. D. Ullman. Monotone data fiow analysis frameworks. Acta Informatica, 7:305-317, 1977.

[94] M. Karr. Affine Relationships among Variables of a Program. Acta Informatica, 6(2):133-151, 1976.

[95] A. Kennedy. Dimension types. In Proc. ESOP '94, volume 788 of Lecture Notes in Computer Science, pages 348-362. Springer, 1994.

[96] G. Kildall. A Unified Approach to Global Program Optimization. In Proc. POPL '73, pages 194-206. ACM Press, 1973.

[97] M. Klein, J. Knoop, D. Koschiitzki, and B. Steffen. DFA & OPT• METAFrame: A toolkit for program analysis and optimisation. In Proc. TACAS '96, volume 1055 of Lecture Notes in Computer Science, pages 422-426. Springer, 1996.

[98] D. E. Knuth. An empirica! study of Fortran programs. Software - Practice and Experience, 1:105-133, 1971.

[99] W. Landi and B. G. Ryder. Pointer-Induced Aliasing: A Problem Classification. In Proc. POPL '91, pages 93-103. ACM Press, 1991.

[100] W. Landi and B. G. Ryder. A safe approximate algorithm for inter• procedural pointer aliasing. In Proc. PLDI '92, pages 235-248. ACM Press, 1992.

[101] J. Larus and P. Hilfinger. Detecting confiicts between structure ac• cesses. In Proc. PLDI '88, pages 21-34. ACM Press, 1988.

[102] J. M. Lucassen and D. K. Gifford. Polymorphic effect analysis. In Proc. POPL '88, pages 47-57. ACM Press, 1988.

[103] T. J. Marlowe and B. G. Ryder. Properties of data fiow frameworks• a unified model. Acta Informatica, 28(2):121-163, 1990.

[104] F. Martin. Pag- an efficient program analyzer generator. Journal of Software Tools for Technology Transfer, 2(1):46-67, 1998.

[105] F. Masdupuy. Using Abstract Interpretation to Detect Array Data Dependencies. In Proc. International Symposium on Supercomputing, pages 19-27, 1991. Bibliography 447

[106] R. Milner. Communication and Concurrency. Prentice Hall Interna• tional, 1989.

[107] J. Mitchell. Type inference with simple subtypes. Joumal of Functional Programming, 1(3):245-285, 1991.

[108] B. Monsuez. Polymorphic types and widening operators. In Proc. Static Analysis (WSA '93}, volume 724 of Lecture Notes in Computer Science, pages 267-281. Springer, 1993.

[109] R. Morgan. Building an Optimising Compiler. Digital Press, 1998.

[110] S. Muchnick. Advanced Compiler Design and Implementation. Morgan Kaufmann Publishers, 1997 (third printing).

[111] F. Nielson. Abstract Interpretation using Domain Theory. PhD thesis, University of Edinburgh, Scotland, 1984.

[112] F. Nielson. Program Transformations in a denotational setting. ACM TOPLAS, 7:359-379, 1985.

[113] F. Nielson. Tensor Products Generalize the Relational Data Flow Anal• ysis Method. In Proc. 4th Hungarian Computer Science Conference, pages 211-225, 1985.

[114] F. Nielson. A formal type system for comparing partial evaluators. In D. Bj0rner, A. P. Ershov, and N. D. Jones, editors, Proc. Partial Evaluation and Mixed Computation, pages 349-384. North Holland, 1988.

[115] F. Nielson. Two-Level Semantics and Abstract Interpretation. Theo• retical Computer Science -Fundamental Studies, 69:117-242, 1989.

[116] F. Nielson. The typed >.-calculus with first-class processes. In Proc. PARLE'89, volume 366 of Lecture Notes in Computer Science, pages 355-373. Springer, 1989.

[117] F. Nielson. Semantics-directed program analysis: a tool-maker's per• spective. In Proc. Static Analysis Symposium (SAS), number 1145 in Lecture Notes in Computer Science, pages 2-21. Springer, 1996.

[118] F. Nielson and H. R. Nielson. Finiteness Conditions for Fixed Point Iteration. In Proc. LFP '92, pages 96-108. ACM Press, 1992.

[119] F. Nielson and H. R. Nielson. From CML to process algebras. In Proc. CONCUR '93, volume 715 of Lecture Notes in Computer Science, pages 493-508. Springer, 1993.

[120] F. Nielson and H. R. Nielson. From CML to its process algebra. The• oretical Computer Science, 155:179-219, 1996. 448 Bibliography

[121] F. Nielson and H. R. Nielson. Operational semantics of termination types. Nordic Journal of Computing, pages 144-187, 1996.

[122] F. Nielson and H. R. Nielson. Infinitary Control Flow Analysis: a Collecting Semantics for Closure Analysis. In Proc. POPL '97. ACM Press, 1997.

[123] F. Nielson and H. R. Nielson. A prescriptive framework for designing multi-levellambda-calculi. In Proc. PEPM'97, pages 193-202. ACM Press, 1997.

[124] F. Nielson and H. R. Nielson. The flow logic of imperative objects. In Proc. MFCS'98, number 1450 in Lecture Notes in Computer Science, pages 22G-228. Springer, 1998.

[125] F. Nielson and H. R. Nielson. Flow logics and operational semantics. Electronic Notes of Theoretical Computer Science, 10, 1998.

[126] F. Nielson and H. R. Nielson. Interprocedural control flow analysis. In Proc. ESOP '99, number 1576 in Lecture Notes in Computer Science, pages 20-39. Springer, 1999.

[127] F. Nielson, H.R. Nielson, and T. Amtoft. Polymorphic subtyping for effect analysis: The algorithm. In Analysis and Verification of Multiple• Agent Languages, volume 1192 of Lecture Notes in Computer Science, pages 207-243. Springer, 1997.

[128] H. R. Nielson, T. Amtoft, and F. Nielson. Behaviour analysis and safety conditions: a case study in CML. In Proc. FASE '98, number 1382 in Lecture Notes in Computer Science, pages 255-269. Springer, 1998.

[129] H. R. Nielson and F. Nielson. Bounded fixed-point iteration. Journal of Logic and Computation, 2(4):441-464, 1992.

[130] H. R. Nielson and F. Nielson. Semantics with Applications: A Formal Introduction. Wiley, 1992. (An on-line version may be available at http://www.imm.dtu.dk/~iis/Wiley_book/wiley.html).

[131] H. R. Nielson and F. Nielson. Higher-Order Concurrent Programs with Finite Communication Topology. In Proc. POPL '94. Springer, 1994.

[132] H. R. Nielson and F. Nielson. Communication analysis for Concur• rent ML. In F. Nielson, editor, ML with Concurrency, Monographs in Computer Science, pages 185-235. Springer, 1997.

[133] H. R. Nielson and F. Nielson. Flow logics for constraint based analysis. In Proc. CC '98, volume 1383 of Lecture Notes in Computer Science, pages 109-127. Springer, 1998. Bibliography 449

[134] H.R. Nielson, F. Nielson, and T. Amtoft. Polymorphic subtyping for effect analysis: The static semantics. In Analysis and Verification of Multiple-Agent Languages, volume 1192 of Lecture Notes in Computer Science, pages 141-171. Springer, 1997. [135] L. Pacholski and A. Podelski. Set constraints: A pearl in research on constraints. In Proc. Third International Conference on the Principles and Practice of Constraint Programming, volume 1330 of Lecture Notes in Computer Science, pages 549-561. Springer, 1997. [136] J. Palsberg. Closure analysis in constraint form. ACM TOPLAS, 17 (1):47-62, 1995.

[137] J. Palsberg and M. I. Schwartzbach. Object-Oriented Type Systems. Wiley, 1994. [138] H. D. Pande and B. G. Ryder. Data-flow-based virtual function reso• lution. In Proc. SAS '96, volume 1145 of Lecture Notes in Computer Science, pages 238-254. Springer, 1996. [139] J. Plevyak and A. A. Chien. Precise concrete type inference of object• oriented programs. In Proc. OOPSLA '94, 1994. [140] G. D. Plotkin. A structural approach to operational semantics. Tech• nical Report FN-19, DAIMI, Aarhus University, Denmark, 1981. [141] G. Ramalingam, J. Field, and F. Tip. Aggregate structure identification and its application to program analysis. In Proc. POPL '99, pages 119- 132. ACM Press, 1999. [142] J. H. Reif and S. A. Smolka. Data Flow Analysis of Distributed Com• municating Processes. International Journal of Parallel Programming, 19(1):1-30, 1990. [143] J. Reynolds. Automatic computation of data set definitions. In Infor• mation Processing, volume 68, pages 456-461. North Holland, 1969. [144] B. K. Rosen. High-level data flow analysis. Communications of the ACM, 20(10):141-156, 1977. [145] E. Ruf. Context-insensitive alias analysis reconsidered. In Proc. PLDI '95, pages 13-22. ACM Press, 1995. [146] B. G. Ryder and M. C. Paull. Elimination algorithms for data flow analysis. ACM Computing Surveys, 18(3):275-316, 1986. [147] M. Sagiv, T. Reps, and S. Horwitz. Precise interprocedural dataflow analysis with applications to constant propagation. In Proc. TAPSOFT '95, volume 915 of Lecture Notes in Computer Science, pages 651-665, 1995. 450 Bibliography

[148] M. Sagiv, T. Reps, and R. Wilhelm. Solving shape-analysis problems in languages with destructive updating. In Proc. POPL '96, pages 16-31. ACM Press, 1996.

[149] M. Sagiv, T. Reps, and R. Wilhelm. Solving shape-analysis problems in languages with destructive updating. ACM TOPLAS, 20(1):1-50, 1998.

[150] M. Sagiv, T. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. In Proc. POPL '99, pages 105-118. ACM Press, 1999.

[151] D. Schmidt. Data flow analysis is model checking of abstract interpre• tations. In Proc. POPL '98, pages 38-48. ACM Press, 1998.

[152] P. Sestoft. Replacing function parameters by global variables. Master's thesis, Department of Computer Science, University of Copenhagen, Denmark, 1988.

[153] M. Shapiro and S. Horwitz. Fast and accurate flow-insensitive points-to analysis. In Proc. POPL '97, pages 1-14. ACM Press, 1997.

[154] M. Sharir. Structural Analysis: a New Approach to Flow Analysis in Optimising Compilers. Computer Languages, 5:141-153, 1980.

[155] M. Sharir and A. Pnueli. Two approaches to interprocedural data flow analysis. In S. S. Muchnick and N. D. Jones, editors, Program Flow Analysis. Prentice Hall International, 1981. [156] O. Shivers. Control flow analysis in Scheme. In Proc. PLDI '88, volume 7 (1) of ACM SIGPLAN Notices, pages 164-174. ACM Press, 1988.

[157] O. Shivers. Data-flow analysis and type recovery in Scheme. In P.Lee, editor, In Topics in Advanced Language lmplementation, pages 47-87. MIT Press, 1991.

[158] O. Shivers. The semantics of Scheme control-flow analysis. In Proc. PEPM '91, volume 26 (9) of ACM SIGPLAN Notices. ACM Press, 1991.

[159] J. H. Siekmann. Unification theory. Journal of Symbolic Computation, 7:207-274, 1989.

[160] G. S. Smith. Polymorphic type inference with overloading and subtyp• ing. In Proc. TAPSOFT '93, volume 668 of Lecture Notes in Computer Science, pages 671-685. Springer, 1993.

[161] G. S. Smith. Principal type schemes for functional programs with over• loading and subtyping. Science of Computer Programming, 23:197-226, 1994. Bibliography 451

[162] B. Steensgaard. Points-to analysis in almost linear time. In Proc. POPL '96, pages 32-41. ACM Press, 1996.

[163] D. Stefanescu and Y. Zhou. An equational framework for the flow analysis of higher order functional programs. In Proc. LFP '94, pages 318-327, 1994.

[164] B. Steffen. Generating data flow analysis algorithms from modal spec• ifications. Science of Computer Programming, 21:115-239, 1993.

[165] J. Stransky. A lattice for abstract interpretation of dynamic (lisp-like) structures. lnformation and Computation, 1990.

[166] J.-P. Talpin and P. Jouvelot. Polymorphic Type, Region and Effect Inference. Journal of Functional Programming, 2(3):245-271, 1992.

[167] J.-P. Talpin and P. Jouvelot. The type and effect discipline. In Proc. LICS '92, pages 162-173, 1992.

[168] J.-P. Talpin and P. Jouvelot. The type and effect discipline. lnformation and Computation, 111(2):245-296, 1994.

[169] Y.-M. Tang. Control-Flow Analysis by Effect Systems and Abstract Interpretation. PhD thesis, Ecole des Mines de Paris, 1994.

[170] R. E. Tarjan. Fast algorithms for solving path problems. Journal of the ACM, 28(3):594-614, 1981.

[171] R. E. Tarjan. A unified approach to path programs. Journal of the ACM, 28(3):577-593, 1981.

[172) S. Tjiang and J. Hennessy. Sharlit - a tool for building optimizers. In Proc. PLDI '92. ACM Press, 1992.

[173] M. Tofte. Type inference for polymorphic references. Information and Computation, 89:1-34, 1990.

[174] M. Tofte and L. Birkedal. A region inference algorithm. ACM TOPLAS, 20(3):1-44, 1998.

[175] M. Tofte and J.-P. Talpin. Implementing the call-by-value lambda• calculus using a stack of regions. In Proc. POPL '94, pages 188-201. ACM Press, 1994.

[176] M. Tofte and J.-P. Talpin. Region-based memory management. lnfor• mation and Computation, 132:109-176, 1997.

[177] G. V. Venkatesh and C. N. Fischer. Spare: A development environ• ment for program analysis algorithms. IEEE Transactions on Software Engineering, 1992. 452 Bibliography

[178] J. Vitek, R. N. Horspool, and J. S. Uhl. Compile-Time Analysis of Object-Oriented Programs. In Proc. CC '92, volume 641 of Lecture Notes in Computer Science, pages 236-250. Springer, 1992.

[179] A. B. Webber. Program analysis using binary relations. In Proc. PLDI '97, volume 32 (5) of ACM SIGPLAN Notices, pages 249-260. ACM Press, 1997.

[180] M. N. Wegman and F. K. Zadeck. Constant propagation with condi• tiona! branches. ACM TOPLAS, pages 181-210, 1991.

[181] R. Wilhelm and D. Maurer. Compiler Design. Addison-Wesley, 1995.

[182] R. P. Wilson and M. S. Lam. Efficient context-sensitive pointer analysis for C programs. In Proc. PLDI '95, pages 1-12. ACM Press, 1995.

[183] A. K. Wright. Typing references by effect inference. In Proc. ESOP '92, volume 582 of Lecture Notes in Computer Science, pages 473-491. Springer, 1992.

[184] A. K. Wright and M. Felleisen. A syntactic approach to type soundness. Information and Computation, 115:38-94, 1994.

[185] K. Yi and W. L. Harrison III. Automatic generation and management of interprocedural program analyses. In Proc. POPL '93, pages 246- 259. ACM Press, 1993.