Abstract Interpretation: a Semantics-Based Tool for Program Analysis

Abstract Interpretation a

SemanticsBased Tool for Program

Analysis

Neil D Jones

DIKU University of Cop enhagen Denmark

Flemming Nielson

Computer Science Department Aarhus University Denmark

June

Contents

Introduction

Goals and Motivations

Relation to Program Verication and Transformation

The Origins of Abstract Interpretation

A Sampling of Dataow Analyses

Outline

Basic Concepts and Problems to b e Solved

A Naive Analysis of the Simple Program

Accumulating Semantics for Imp erative Programs

Correctness and Safety

Scott Domains Lattice Duality and Meet versus Join

Abstract Values Viewed as Relations or Predicates

Imp ortant Points from Earlier Sections

Towards Generalizing the Cousot Framework

Proving Safety by Logical Relations

Abstract Interpretation Using a TwoLevel Metalanguage

Syntax of Metalanguage

Sp ecication of Analyses

Correctness of Analyses

Induced Analyses

Exp ected Forms of Analyses

Extensions and Limitations

Other Analyses Language Prop erties and Language Types

Approaches to Abstract Interpretation

Examples of Instrumented Semantics

Analysis of Functional Languages

Complex Abstract Values

Abstract Interpretation of Logic Programs

Glossary

1 Introduction

Desirable mathematical background for this chapter includes

basic concepts such as lattices complete partial orders homomor

phisms etc

the elements of domain theory eg as in the chapter by Abramsky

or the b o oks Schmidt or Nielson a

the elements of denotational semantics eg as in the chapter by

Tennent or the b o oks Schmidt or Nielson a

interpretations as used in logic

There will b e some use of structural op erational semantics Kahn

Plotkin Nielson a for example deduction rules for a pro

grams semantics and type system The use of category theory will b e kept

to a minimum but would b e a useful background for the domainrelated

parts of Section

Goals and Motivations

Our primary goal is to obtain as much information as p ossible ab out a

programs p ossible run time b ehaviour without actually having to run it

on all input data and to do this automatically A widely used technique

for such program analysis is nonstandard execution which amounts to

p erforming the programs computations using value descriptions or abstract

values in place of the actual computed values The results of the analysis

must describ e al l possible program executions in contrast to proling and

other runtime instrumentation which describ e only one run at a time

We use the term abstract interpretation for a semanticsbased version of

nonstandard execution

Nonstandard execution can b e roughly describ ed as follows

p erform commands or evaluate expressions satisfy goals etc using

stores values drawn from abstract value domains instead of the

actual stores values used in computations

deduce information ab out the programs computations on actual in

put data from the resulting abstract descriptions of stores values

One reason for using abstract stores values instead of the actual ones

is for computability to ensure that analysis results are obtained in nite

time Another is to obtain results that describ e the result of computations

on a set of p ossible inputs The rule of signs is a simple familiar abstract

interpretation using abstract values p ositive negative and the

latter is needed to express for example the result of adding a p ositive and

a negative number

Another classical example is to check arithmetic computations by cast

ing out nines a metho d using abstract values to detect errors

in hand computations The idea is to p erform a series of additions sub

tractions and multiplications with the following twist whenever a result

exceeds it is replaced by the sum of its digits rep eatedly if necessary

The result obtained this way should equal the sum mo dulo of the digits

of the result obtained by the standard arithmetic op erations For example

consider the alleged calculation

This is checked by reducing to to and to and then

reducing to and so further to and nally is reduced to

This diers from the sum mo dulo of the digits of so the

calculation was incorrect That the metho d is correct follows from

a b mo d a b mo d

a b mo d a mo d b mo d mo d

The metho d abstracts the actual computation by only recording values

mo dulo Even though much information is lost useful results are still

obtained since this implication holds if the alleged answer mo dulo diers

from the answer got by casting out nines there is denitely an error

On the need for approximation Due to the unsolvability of the halting

problem and nearly any other question concerning program b ehaviour no

analysis that always terminates can b e exact Therefore we have only three

alternatives

Consider systems with a nite number of nite b ehaviours eg pro

grams without lo ops or decidable prop erties eg type checking as

in Pascal Unfortunately many interesting problems are not so ex pressible

Ask interactively for help in case of doubt But exp erience has shown

that users are often unable to infer useful conclusions from the myr

iads of esoteric facts provided by a machine This is one reason why

interactive program proving systems have turned out to b e less useful

in practice than hop ed

Accept approximate but correct information

Consequently most research in abstract interpretation has b een concerned

with eectively nding safe descriptions of program b ehaviour yielding

answers which though sometimes to o conservative in relation to the pro

grams actual b ehaviour never yield unreliable information In a formal

sense we seek a v relation instead of equality The eect is that the price

paid for exact computability is loss of precision

A natural analogy abstract interpretation is to formal semantics as

numerical analysis is to mathematical analysis Problems with no known

analytic solution can b e solved numerically giving approximate solutions

for example a numerical result r and an error estimate Such a result is

reliable if it is certain that the correct result lies within the interval r

r The solution is acceptable for practical usage if is small enough In

general more precision can b e obtained at greater computational cost

Safety Abstract interpretation usually deals with discrete nonnumerical

ob jects that require a dierent idea of approximation than the numerical

analysts By analogy the results pro duced by abstract interpretation of

programs should b e considered as correct by a pure semantician as long

as the answers are safe in the following sense A b o olean question can

b e answered true false or I dont know while answers for the rule

of signs could b e p ositive negative or This apparently crude

approach is analogous to the numerical analysts and for practical usage

the problem is not to give uninformative answers to o often analogous to

the problem of obtaining a small

An approximate program analysis is safe if the results it gives can always

b e dep ended on The results are allowed to b e imprecise as long as they

always err on the safe side so if b o olean variable J is sometimes true

we allow it to b e describ ed as I dont know but not as false Again

in general more precision can b e obtained at greater computational cost

Dening the term safe is however a bit more subtle than it app ears

In applications eg co de optimization in a compiler it usually means the

result of abstract interpretation may safely b e used for program transfor

mation ie without changing the programs semantics To dene safety

it is essential to understand precisely how the abstract values are to b e interpreted in relation to actual computations

For an example supp ose we have a function denition

f X X exp

where exp is an expression in X X Two subtly dierent dependency

analyses asso ciate with exp a subset of f s arguments

Analysis I

fX X g fX j exps value dep ends on X in at least one

i im j j

computation of f X X g

Analysis I I

fX X g fX j exps value dep ends on X in every

i im j j

computation of f X X g

For the example

f W X Y Z if W then X Y else X Z

analysis I yields fW X Y Zg which is the smallest variable set always

sucient to evaluate the expression Analysis I I yields fW Xg signifying

that regardless of the outcome of the test evaluation of exp requires the

values of b oth W and X but not necessarily those of Y or Z

These are b oth dep endence analyses but have dierent mo dality Anal

ysis I for p ossible dep endence is used in the binding time analysis phase

of partial evaluation a program transformation which p erforms as much as

p ossible of a programs computation when given knowledge of only some

of its inputs Any variable dep ending on at least one unknown input in at

least one computation might b e unknown at sp ecialization time Thus if

any among W X Y Z are unknown then the value of exp will b e unknown

Analysis I I for denite dep endence is a need analysis identifying that

the values of W and X will always b e needed to return the value Such anal

yses are used for to optimize program execution in lazy languages The ba

sis is that arguments denitely needed in a function call f e e e e e

may b e preevaluated eg using call by value for e and e instead of

the more exp ensive call by need

Strictness Finding needed variables involves tracing p ossible compu

tation paths and variable usages For mathematical convenience many

researchers work with a slightly weaker notion A function is dened to

b e strict in variable A if whenever As value is undened the value of

exp will also b e undened regardless of the other variables values For

mally this means if A has the undened value then exp evaluates to

Clearly f b oth needs and is strict in variables W and X in the example

For another X is strict in a denition f X f X since f even though it is not needed

Violations of safety In practice unsafe dataow analyses are sometimes

used on purp ose For example highly optimizing compilers may p erform

co de motion where co de that is invariant in a lo op may b e moved to a

p oint just b efore the lo ops entry This yields quite substantial sp eedups

for frequently iterated lo ops but it can also change termination prop erties

the moved co de will b e p erformed once if placed b efore the lo op even if

the lo op exit o ccurs without executing the b o dy Thus the transformed

program could go into a nonterminating computation not p ossible b efore

optimization

The decision as to whether such eciency b enets outweigh problems

of semantic dierences can only b e taken on pragmatic grounds If one

takes a completely pure view even using the asso ciative law to rearrange

expressions may fail on current computers

We take a purists view in this chapter insisting on safe analyses and

solid semantic foundations and carefully dening the interpretation of the

various abstract values we use

Abstract interpretation cannot always b e homomorphic A very

wellestablished way to formulate the faithful simulation of one system by

another is by a homomorphism from one algebra to another Given two

onesorted algebras

D g D fa D

i2I i

and

E g E fb E

i2I i

with carriers D E and op erators a b a homomorphism is a function

i i

D D E such that for each i and x x

b x x a x x

i k i k

i i

In the examples of sign analysis to b e given later and casting out nines

abstract interpretation is done by a homomorphic simulation of the op er

ations and Unfortunately pure homomorphic simulation is not

always sucient for program analysis

To examine the problem more closely consider the example of nonre

cursive imp erative programs The state of such a program might b e a

program control p oint together with the values of all variables The seman

tics is naturally given by dening a state transition function for instance

State Program p oint Store

Store Variable Value

next State State

where we omit formally sp ecifying a language syntax and dening next

on grounds of familiarity

Consider the algebra State next State State and an abstraction

AbState next AbState AbState where AbState is a set of abstract

descriptions of states A truly homomorphic simulation of the computation

would b e a function State AbState such that the following diagram

commutes

State State

AbState AbState

In this case is a representation function mapping real states into their

abstract descriptions and next simulates nexts eects but is applied to

abstract descriptions

This elegant view is alas not quite adequate for program analysis For

an example consider sign analysis of a program where

AbState Program p oint AbStore

AbStore Variable f g

next AbState AbState

Representation function preserves control p oints and maps each variable

into its sign The use of abstract value representing unknown sign

will b e illustrated later If the program contains

p Y X Y goto q

and the current state is p X Y then we have

nextp X Y q X Y

q X Y

On the other hand the b est that next can p ossibly do is

next p X Y nextp X Y

q X Y

since X Y can b e either p ositive or negative dep ending on the exact

values of X Y unavailable in the argument of next Thus the desired

commutativity fails

In general the b est we can hop e for is a semihomomorphic simulation

A simple way is to equip E with a partial order v where x v y intuitively

means x is a more precise description than y eg v

In relation to safe value descriptions as discussed in Section if x is

a safe description of precise value v and x v y then we will also exp ect y

to b e a safe description of v

Computations involving abstract values cannot b e more precise than

those involving actual values so we weaken the homomorphism restriction

by allowing the values computed abstractly to b e less precise than the result

of exact computation followed by abstraction

D We thus require that for each i and x x

v b x x a x x

i k i k

i i

and that the op erations b b e monotone For the imp erative language this

is describ ed by

State State

AbState AbState

The monotonicity condition implies

n n

next s v next s

for all states s and n so computations by sequences of state transitions are also safely mo deled

Abstract interpretation in eect simulates many computations at

once A further complication is that real world execution steps cannot

b e simulated in a onetoone manner in the abstract world In program

fragment

p if X Y then goto q else goto r

nextp X Y could yield q X Y or r

X Y since the approximate descriptions contain to o lit

tle information to determine the outcome of the test Op erationally this

amounts to nondeterminism the argument to next do es not uniquely de

termine its result How is such nondeterminism in the abstract world to b e

treated

One way is familiar from nite automata theory we lift

next State State

to work on sets of states namely

next State State

dened by

next stateset f nexts j s stateset g

together with an abstraction function State AbState This direc

tion developed by Cousot and Cousot and describ ed in section allows

next to remain a function

Another approach is to let b e a relation instead of a function This

approach is describ ed briey in section and is also used in section

The essentially nondeterministic nature of abstract execution implies

that abstract interpretation techniques may b e used to analyse nondeter

ministic programs as well as deterministic ones This idea is developed

further in Nielson

Relation to Program Verication and Transforma

tion

Program verication has similar goals to abstract interpretation A ma jor

dierence is that abstract interpretation emphasizes approximate program

descriptions obtainable by ful ly automatic algorithms whereas program

verication uses deductive metho ds which can in principle yield more pre

cise results but are not guaranteed to terminate Another dierence is that

an abstract interpretation eg sign detection must work uniformly for al l

programs in the language it is designed for In contrast traditional pro

gram verication requires one to devise a new set of statement invariants

for every new program

Abstract interpretations ma jor application is to determine the appli

cability or value of optimization and thus has similar goals to program

transformation Darlington However most program transformation

as currently practiced still requires considerable human interaction and is

so signicantly less automatic than abstract interpretation Further pro

gram transformation often requires pro ofs that certain transformations can

b e validly applied abstract interpretation gives one way to obtain these

The Origins of Abstract Interpretation

The idea of computing by means of abstract values for analysis purp oses

is far from new Peter Naur very early identied the idea and applied it in

work on the Gier Algol compiler Naur He coined the term pseudo

evaluation for what was later describ ed as a pro cess which combines the

op erators and op erands of the source text in the manner in which an actual

evaluation would have to do it but which op erates on descriptions of the

op erands not on their values Jensen The same basic idea is found

in Reynolds and Sintzo Sintzo used it for proving a num

b er of wellformedness asp ects of programs in an imp erative language and

for verifying termination prop erties

These ideas were applied on a larger scale to highly optimizing com

pilers often under the names program ow analysis or dataow analysis

Hecht Aho Sethi and Ullman Kam They can b e

used for extraction of more general program prop erties Wegbreit

and have b een used for many applications including generating assertions

for program veriers Cousot b program validation Fosdick

and Foster testing applicability of program transformations Nielson a

compiler generation and partial evaluation Jones Nielson b

estimating program running times Rosendahl and eciently paral

lelizing sequential programs Masdupuy Mercouro

The rst pap ers on automatic program analysis were rather ad ho c and

oriented almost entirely around one application optimization of target or

intermediate co de by compilers Prime imp ortance was placed on eciency

and the ow analysis algorithms used were not explicitly related to the

semantics of the language b eing analysed Signs of this can b e seen in the

wellknown unreliability of the early highly optimizing compilers indicating the need for rmer theoretical foundations

A Sampling of Dataow Analyses

We now list some program analyses that have b een used for ecient im

plementation of programming languages The aim is to show how large

the sp ectrum of interesting program analyses is and how much they dif

fer from one another Only a few of these have b een given go o d semantic

foundations so the list could serve as a basis for future work References

include Aho Sethi and Ullman and Muchnick

All concern analysing the sub ject programs b ehaviour at particular

program p oints for optimization purp oses Following is a rough classica

tion of the analyses group ed according to the b ehavioural prop erties on

which they dep end

Sets of values stores or environments that can o ccur at a program

p oint

Constant propagation nds out which assignments in a program yield con

stant values that can b e computed at compile time

Aliasing analysis identies those sets of variables that may refer to the

same memory cell

Copy propagation nds those variables whose values equal those of other

variables

Destructive updating recognizes when a new binding of a value to a variable

may safely overwrite the variables previous value eg to reduce

the frequency of garbage collection in Lisp Bloss and Hudak

Jensen Mycroft Sestoft

Groundness analysis in logic programming nds out which of a Prolog

programs variables can only b e instantiated to ground terms

Debray Sndergaard

Sharing analysis in logic programming nds out which variable pairs can

b e instantiated to terms containing shared subterms Debray

Mellish Sndergaard

Circularity analysis in logic programming nds out which unications in

Prolog can b e safely p erformed without the timeconsuming o c

cur check Plaisted Sndergaard

Sequences of variable values

Variables invariant in loops identies those variables in a lo op that are

assigned the same values every time the lo op is executed used in

code motion esp ecially to optimize matrix algorithms

Induction variables identies lo op variables whose values vary regularly

each time the lo op is executed also to optimize matrix algo

rithms

Computational past

Usedenition chains asso ciates with a reference to X the set of all as

signments X that assign values to X that can reach the

reference following the p ossible ow of program control

Available expressions records the expressions whose values are implicitly

available in the values of program variables or registers

Computational future

Live variables variable X is dead at program p oint p if its value will never

b e needed after control reaches p else live Memory or registers

holding dead variables may b e used for other purp oses

Denitionuse analysis asso ciates with any assignment X the set of

all places where the value assigned to X can b e referenced

Strictness analysis given a functional language with normal order seman

tics the problem is to discover which parameters in a function

call can b e evaluated using call by value

Miscellaneous

Mode analysis To nd out which arguments of a Prolog pro cedure are

input ie will b e instantiated when the pro cedure is entered and

which are output ie will b e instantiated as the result of calling

the pro cedure Mellish

Interference analysis To nd out which subsets of a of programs com

mands can b e executed so that none in a subset changes variables

used by others in the same set Such sets are candidates for par

allel execution on shared memory vector or data ow machines

Outline

Ideally an overview article such as this one should describ e its area b oth in

breadth and in depth dicult goals to achieve simultaneously given the

amount of literature and number of dierent metho ds used in abstract in

terpretation As a compromise section emphasizes overview breadth and connections with other research areas while section gives a more formal

mathematical treatment of a domainbased approach to abstract interpre

tation using a twolevel typed lambda calculus The motivation is that

abstract interpretation of denotational language denitions allows approx

imation of a wide class of programming language prop erties Section is

again an overview referencing some of the many abstract interpretations

that have b een seen in the literature Section contains a glossary briey

describing the many terms that have b een introduced Following is a more

detailed overview

Driven by examples section introduces several fundamental analysis

concepts seen in the literature The descriptions are informal few theorems

are proved and some concepts are made more precise later within the

framework of section

The section b egins with a list of program analyses used by compilers

and do es a parity analysis of an example program The shortcomings of

naive analysis metho ds are p ointed out leading to the need for a more sys

tematic framework The framework used by Cousot for ow chart programs

is introduced using what we call the accumulating semantics elsewhere

the collecting or static semantics

Appropriate machinery is introduced to approximate the accumulating

semantics and to prove the approximations safe The distinction b etween

indep endent attribute and relational analyses is made and the latter are

related to Dijkstras predicate transformers Backwards analyses are then

briey describ ed

It is then shown how domainbased generalizations of these ideas can

b e applied to languages dened by denotational semantics thus going far

b eyond ow chart programs The main to ols used are interpretations and

logical relations and a general technique is introduced for proving safety

Section uses representation functions and logical relations rather than

abstraction of an accumulating semantics The approach is metalanguage

oriented and highly systematic emphasizing the metalanguage for denota

tional denitions rather than particular semantic denitions of particular

languages It emphasizes comp ositionality with resp ect to domain con

structors and the extension from the approximation of basic values and

functions to all the programs domains analogous to the construction of a

free algebra from a set of generators The comp onents of the following goal

are precisely formulated

abstract interpretation correctness

most precise analyses

implementable analyses

There is a terminological problem here Cousot a used the term static seman

tics but this has other meanings so several researchers have used the more descriptive

collecting semantics Unfortunately this term to o has b een used in more than one way so we have invented yet another term accumulating semantics

Section illustrates the need to interpret programs over domains other

than abstractions of the accumulating semantics Some program analy

ses not naturally expressed by abstracting either an accumulating or an

instrumented semantics are exemplied showing the need for more sophis

ticated analysis techniques and an overview is given of some alternative

approaches including tree grammars

The idea of an instrumented semantics is introduced and correctness

is discussed This section is problemoriented with simulation techniques

chosen ad ho c to t the analysis problem and the language b eing anal

ysed It thus centers more around programs op erational b ehaviour than

the structure of their domains with particular attention to describing the

set of program states reachable in computations on given input data and

to nite description of the set of all computations on given input The

section ends by describing approaches to abstract interpretation of Prolog

2 Basic Concepts and Problems to b e Solved

We b egin with parity analysis of a very simple example program and in

tro duce basic concepts only as required We discuss imp erative programs

without pro cedure calls since this familiar program class has a simple se

mantics and is most often treated in the analysis algorithms found in com

piling textb o oks Later sections will discuss functional and logic programs

but many of their analysis problems are also visible and usually in sim

pler form in the imp erative context Throughout this section the reader

is encouraged to ask himself what is the analogue of this concept in a

functional or logic programming framework

An example program where stands for integer division and program

p oints AG have b een indicated for future reference

A while n do

B if n even

then C n n D

else E n n F

o d G

n n

B C

even n n

odd

G E D

n n

Side remark Collatz problem in number theory amounts to determining

whether this program terminates for all p ositive initial n To our knowledge

it is still unsolved

A Naive Analysis of the Simple Program

Abstraction of a single execution If this program is run with initial

value n then n takes on values at p oint B values

at C etc Using to represent either even or o dd the results of this

single run can b e abstracted as

n at A n at B n at C n at D n at E n at F n at G

o dd even o dd even o dd

Extension to all p ossible executions This result was obtained by

p erforming one execution completely and then abstracting its outcome

Such an analysis may of course not terminate and it do es not as wished

describ e all executions The question is how to obtain evenodd informa

tion valid for al l possible computations A natural way is to simulate the

computation but to do the computation using the abstract values

Abs f even o dd g

instead of natural numbers each representing a set of p ossible values of n

and to ensure that all p ossible control ow paths are taken

Doing this informally we can see that if n is o dd at program entry it

will always b e even at p oints C and F always o dd at p oint E sometimes even and sometimes o dd at p oints B and D and o dd at G provided control

ever reaches G Individual op erations can b e simulated by known prop erties

of numbers eg n is even if n is o dd and o dd if n is even while n

can b e either even or o dd

Simulating the whole program is not as straightforward as simulating a

single execution The reason was mentioned b efore execution over abstract

values cannot in general b e deterministic since it must take account of

all p ossible execution sequences on real data satisfying the abstract data

description

Towards a less naive analysis pro cedure The very earliest data

ow analysis algorithms amounted to gloried interpreters and pro ceeded

by executing the program symbolically keeping a record of the desired

ow information abstract values as the interpretation pro ceeded Such

algorithms which in essence traced all p ossible control paths through the

program were very slow and often incorrect They further suered from a

number of problems of semantic nature for example diculties in seeing

how to handle nondeterminism due to tests with insucient information

to recognize their truth or falsity convergence and divergence of control

paths lo ops and nontermination

Better metho ds were so on developed to solve these problems including

putting a partial order on the abstract data values so they always

change in the same direction during abstract interpretation thus re

ducing termination problems

storing ow information in a separate data structure usually b ound

to program p oints such as entry p oints to basic blo cks ie maxi

mal linear program segments

constructing from the program a system of dataow equations

one for each program p oint

solving the dataow equations usually by computing their greatest

xp oint or least xp oint

Much more ecient algorithms were developed and some theoretical

frameworks were developed to make the new metho ds more precise Hecht

Kennedy and Aho Sethi and Ullman contain go o d overviews

None of the classical approaches to program analysis can however

b e said to b e formally related to the semantics of the language whose

programs were b eing analysed Rather they formalized and tightened up

metho ds used in existing practice In particular none of them was able to

include precise execution as a special case of abstract interpretation alb eit

an uncomputable one This was rst done in Cousot a the seminal pap er relating abstract interpretation to program semantics

Accumulating Semantics for Imp erative Programs

The approach of Cousot a is app ealing b ecause of its generality it

expresses a large number of sp ecial program analyses in a common frame

work In particular this makes questions of safety ie correctness much

easier to formulate and answer and sets up a framework making it p os

sible to relate and compare the precision of a range of dierent program

analyses It is solidly based in semantics and precise execution of the pro

gram is included as a sp ecial case This implies program verication may

also b e based on the accumulating semantics a theme developed further

in Cousot b and several subsequent works

The ideas of Cousot a have had a considerable impact on later

work in abstract interpretation for example Mycroft Muchnick

Burn DonzeauGouge Nielson Nielson Mycroft

Overview of the Cousot Approach

The article Cousot a b egins by presenting an op erational semantics

for a simple ow chart language It then develops the concept of what

we call the accumulating semantics the same as Cousots static semantics

and some others collecting semantics This asso ciates with each program

p oint the set of all memory stores that can ever o ccur when program control

reaches that p oint as the program is run on data from a given initial

data space It was shown in Cousot a that a wide variety of ow

analyses but not all may b e realized by nding nitely computable

approximations to the accumulating semantics

The sticky accumulating semantics maps program p oints to sets of

program stores The set Store of all sets of stores forms a lattice with

set inclusion as its partial order so any two store sets A B have least

upp er b ound A B and greatest lower b ound A B The lattice Store

is complete meaning that any collection of sets of stores has a least upp er

b ound in Store namely its union

Various approximations can b e expressed by simpler lattices connected

to Store by an abstraction function S tor e Abs where Abs is

a lattice of descriptions of sets of stores Symbol t is usually used for the

least upp er b ound op eration on Abs u for the greatest lower b ound and

for the least resp greatest elements of Abs

An abstraction function is most often used together with a dual con

cretization function Abs Store and the two are required to satisfy

natural conditions given later

For a onevariable program we could use as Abs the lattice with elements

f even o ddg

where the abstraction of any nonempty set of even numbers is lattice el

ement even and the concretization of lattice element even is the set

of all even numbers Abstract interpretation may thus b e thought of as

executing the program over a lattice of imprecise but computable abstract

store descriptions instead of the precise and uncomputable accumulating

semantics lattice

In practice computability is often achieved by using a noetherian lat

tice ie one without innite ascending chains More general lattices can

however b e used cf the Cousots widening techniques or the use of

grammars to describ e innite sets nitely

Let p b e the programs initial program p oint and let p b e another

program p oint The set of store congurations that can b e reached at

program p oint p starting from a set S of p ossible initial stores is dened

acc fs j p s next p s for some s S n g

The accumulating semantics thus asso ciates with each program p oint the

set acc Store

Accumulating Semantics of the Example Program

For the example program there is only one variable so a set of stores has

form

fn a n a n a g

For notational simplicity we can identify this with the set fa a a g

an imp ossible simplication if the program has more than one variable

Given initial set S fg the sets of stores reachable at each program

p oint are

acc acc acc acc acc acc acc

A B C D E F G

fg fg fg fg fg fg fg

The following dataow equations have a unique least xp oint by complete

ness of Store and it is easy to see that their xp oint is exactly the tuple

of sets of reachable stores as dened ab ove

acc S

acc acc acc acc fn j n f g n fgg

B A D F

acc acc fn j n f gg

C B

acc fn j n acc g

D C

acc acc fn jn f gg

E B

acc fn j n acc g

F E

acc acc acc acc fg

G A D F

The equation set can b e derived mechanically from the given programs

syntax eg as seen in Cousot a or Nielson

Abstract Interpretation of the Example Program

The abstraction function Store Abs b elow may b e used to abstract

a set of stores where Abs f even o dd g

if S fg else

even if S f g else

o dd if S f g else

Dening v even v and v o dd v makes Abs into a partially

ordered set Least upp er and greatest lower b ounds t u exist so it is also

a lattice

even

o dd

Applying to the sets of reachable stores yields the following

abs abs abs abs abs abs abs

A B C D E F G

o dd even o dd even o dd

Abstraction of the set of all runs This metho d is still unsatisfactory

for describing all computations since the value sets involved are unbounded

and p ossibly innite But we may mo del the equations ab ove by applying

to the sets involved The abstraction function just given is easily seen

to b e monotone so set inclusion in the world of actual computations is

mo delled by v in the world of simulated computations over Abs Union

is the least upp er b ound over sets so it is natural to mo del by t and

similarly to mo del by u

The arithmetic op erations are faithfully mo delled as follows using fa

miliar prop erties of natural numbers

if abs

f abs

else

if abs else

even if abs o dd else

f abs

o dd if abs even else

if abs

This yields the following system of approximate dataow equations de

scribing the programs b ehaviour on Abs

abs S

abs abs t abs t abs u u may b e omitted

B A D F

abs abs u even

C B

abs f abs

D n E

abs abs u o dd

E B

abs f abs

F n E

abs abs t abs t abs u o dd

G A D F

Remark Here f and f were dened ad ho c a systematic way to

n n

dene them will b e seen in section

The lattice Abs is also complete The op erators u t f and f

n n

are monotone so the equation system has a unique least xp oint The

abstraction function is easily seen to b e monotone so if it also were a

homomorphism with resp ect to t and u the least solution to the

approximate ow equations would b e exactly

abs acc abs acc

A A G G

It is however not homomorphic since for example

fg u fg even fg fg

On the other hand the following do hold

AtB A B f A w fn j n Ag

AuB w A B f A w fn j n Ag

Using these it is easy to see by insp ection of the two equation systems

more formally a simple xp oint induction that their least x p oints are

related by

abs w acc

A A

abs w acc

B B

abs w acc

G G

Following is the iterative computation of the least xp oint assuming S

abs abs abs abs abs abs abs iteration

A B C D E F G

o dd

o dd o dd o dd

o dd o dd o dd o dd

o dd o dd o dd even o dd

o dd o dd even o dd

o dd even o dd even o dd

The conclusion is that n is always even at p oints C and F and always o dd

at E and G

An Optimization Using the Results of the Analysis

The ow analysis reveals that the program could b e made somewhat more

ecient by unrolling the lo op after F The reason is that tests n

and n even must b e b oth b e true in the iteration after F so they need

not b e p erformed The result is

while n do if n even then n n else n n

o d

which avoids the two tests every time n is o dd In practice one of the

main reasons for doing abstract interpretation is to nd out when such optimizing transformations may b e p erformed

Termination

The least xed p oint may as usual b e computed by b eginning with pp

pp every program p oint is mapp ed to the least element

of Abs and rep eatedly replacing the value currently assigned to pp by

the value of the right side of pp s equation By monotonicity of u f

i n

etc these values can only grow or remain unchanged so the iterations

terminate provided the approximation lattice has no ascending chains of

innite height as is the case here

Cousot a describ es ways to achieve termination even when in

nite chains exist by inserting socalled widening op erators in the dataow

equations at each junction p oint of a lo op To explain the basic idea con

sider the problem of nding the xed p oint of a continuous function f

The usual Kleene iteration sequence is d d f d and

n n

is known to converge to the least xed p oint of f but the sequence need

not stabilize ie it need not b e the case that d d for some n To

n n

remedy this one may introduce a widening op erator that dominates the

0 00 0 00

least upp er b ound op eration ie d t d v d d and such that the chain

d d d f d always stabilizes This leads to overshoot

n n n

ing the least xed p oint but always gives a safe solution By iterating down

from the stabilizationvalue p erhaps by using the technique of narrowing

one may then b e able to recover some of the information lost

Constant propagation This is an example of a lattice which is innite

but has nite height three It is used for detecting variables that dont

vary and has Abs f g where v n v for n

The corresp onding abstraction function is

if V f g

n if V fng V

otherwise

There also exist lattices in which all ascending chains have nite height

even though the lattice as a whole has unbounded vertical extent An

example let Abs N

Safety First Discussion

The analysis of the Collatzsequence program is clearly safe in the follow

ing sense if control reaches p oint C then the value of n will b e even and

similarly for the other program p oints and abstract values Correctness or

soundness of the evenodd analysis for al l possible programs and program

p oints is also fairly easy to establish given the close connection of the ow

equations to those dening the accumulating semantics

Reachable program p oints A similar but simpler reachability analysis

eg for dead co de elimination serves to illustrate a p oint concerning

safety It uses Abs f g with v and abstraction function

dened as follows where a Abs and S Store

S if S fg else

f a if a else

Intuitively abstracts only the empty set of stores and so appropriately

describ es unreachable program p oints while describ es reachable program

p oints Computing the xp oint as ab ove we get

abs abs abs abs abs abs abs

A B C D E F G

This might b e thought to imply that al l program p oints including G

are reachable regardless of the initial value of n On the other hand

reachability of G for input n implies termination and it is a wellknown

op en question whether the program do es in fact terminate for all n

A more careful analysis reveals that at program p oint p represents

p cannot b e reached while represents p might b e reached and so

do es not necessarily imply termination The example shows that we must

examine the questions of correctness and safety more carefully which we

now pro ceed to do

Correctness and Safety

In this and remaining parts of section we describ e informally several dif

ferent approaches to formulating safety and correctness and discuss some

advantages and disadvantages A more detailed domainbased framework will b e set up in section

Desirable Prop erties of the Abstract Value Set Abs

In order to mo del the accumulating semantics equations Abs could b e a

complete lattice a set with a partial order v with least upp er and greatest

lower b ounds t and u to mo del and and such that any collection of

sets of stores has a least upp er b ound in Abs Note any lattice of nite

height is complete In the following we sometimes write a w a in place of

a v a

Desirable Prop erties of the Abstraction Function

Intuitively even represents the set of all even numbers This viewp oint

is made explicit in Cousot a by relating complete lattices Conc and

Abs to each other by a pair of abstraction and concretization functions

with types

Conc Abs

Abs Conc

In the evenodd example ab ove the lattice of concrete values is Conc

Store and the natural concretization function is

ev en f g

odd f g

f g IN

Cousot and Cousot imp ose natural conditions on and satised by the

examples

and are monotonic

a Abs a a

c Conc c v c

C onc

For the accumulating semantics larger abstract values represent larger

sets of stores by condition Condition is natural and condition says

that S S for any S Store

The conditions can b e summed up as form a Galois insertion of

Abs into Store a sp ecial case of an adjunction in the sense of category

theory It is easy to verify the following

Lemma If conditions hold then

c Conc a Abs c v a if and only if c v a and

C onc Abs

is continuous

Thus the abstract ow equations converge to a xp oint If is semihomo

morphic on union intersection and base functions then the abstract ow

equations xp oint will b e p ointwise larger than or equal to the abstraction

of the xp oint of the accumulating semantics equations

Again note that stores are unordered so and need only preserve the

subset ordering The more complex situation that arises when mo delling

nonat domains is investigated in Mycroft

Safety Second Discussion

Recalling the program of section we can dene the solution

abs abs Abs to the abstract ow equations to b e safe with

A G

resp ect to the accumulating semantics acc acc Store if the

A G

reachable sets of stores are represented by the abstract values

acc abs

A A

acc abs

B B

acc abs

G G

This is easy to verify for the evenodd abstraction given b efore

Returning to the question raised after the reachable program p oints

example we see that safety at p oint G only requires that acc abs

G G

ie that every store that can reach G app ears in abs This also holds

if acc is empty so abs do es not imply that G is reachable in any

G G

actual computation For any program p oint X abs implies acc

X X

fg which signies that control cannot reach X Thus abstract value can

b e used to eliminate dead co de

Safe approximation of base functions Consider a base function op

IN IN and extend it by p ointwise lifting to sets of numbers yielding

op IN IN where

opN fopn j n N g

Supp ose satisfy conditions It is natural to dene op Abs Abs

to b e a safe approximation to op if the following holds for all N IN

opN opN or diagrammatically

IN IN

Abs Abs

By the conditions and lemma this is equivalent to

opN v opN

corresp onding to diagram

IN IN

Abs Abs

Intuitively for any subset N IN applying the induced abstract op eration

op to the abstraction of N represents at least all the values obtainable by

applying op to members of N

Induced approximations to base functions We now show how the

b est p ossible approximation op can b e extracted from op at least in princi

ple although p erhaps not computably a more detailed discussion app ears

in section Recall that smaller elements of Abs abstract smaller sets of

concrete values and so are less approximate ie more precise descriptions

Lemma Given IN Abs and Abs IN satisfying the

three conditions ab ove dene the op erator induced by op to b e op Abs

Abs where

op op

Then op is the most precise function on Abs satisfying opN v

opN for all N

Pro of Supp ose f Abs Abs with opN v f N for all N

Then for any a

opa op a v f a f a

The denition of op as a diagram

IN IN

Abs Abs

For example if opn n then op is f as seen ab ove eg

op fn j n g fg

opeven fn j n even g f g

Unfortunately the denition of op do es not necessarily give a terminating

algorithm for computing it even if op is computable In practice the prob

lem is solved by approximating from ab ove ie choosing op to give values

in Abs that may b e larger less informative than implied by the ab ove

equation We will go deep er into this in Subsection

A lo cal condition for safe approximation of transitions A safety

condition on onestep transitions can b e formulated analogously Dene

for any two control p oints p q the function next Store Store

0 0

next S fs j q s next p s for some s S g

This is the earlier transition function extended to include all transitions

from p to q on a set of stores Exactly as ab ove we can dene the abstract

transition function induced by and to b e

next next

pq pq

This is again the most precise function satisfying

next S v next S

pq pq

for all S

An Example the Rule of Signs

Consider the abstract values and with the natural concretization

function

f g

This can b e made into a complete lattice by adding greatest lower and

least upp er b ounds in various ways Assuming u t should mo del

resp ectively the following is obtained

with

f g

f g ZZ

and abstraction function

if S fg else

if S f g else

The induced approximation for op erator ZZ ZZ ZZ is

Comp osition of Safety Diagrams

Supp ose we have two diagrams for safe approximation of two base functions

op and op

IN IN

Abs Abs

and

IN IN

op u

Abs Abs

0 0

It is easy to see that op op is a safe approximation to op op

so the two may b e comp osed

op op

IN IN

op op u

Abs Abs

On the other hand the diagrams for the induced approximations to

base functions cannot b e so comp osed since the b est approximation to

op op may b e b etter than the comp osition of the b est approximations

to op and op This is precisely b ecause is a semihomomorphism

resp ectively not a homomorphism For a concrete example let op and op

describ e the eects of the two assignments

n n n n

Then

op opf g f g odd

whereas

op op fg opeven

Scott Domains Lattice Duality and Meet versus

Join

Relation to Scottstyle domains The partial order v on Abs mo dels

the set inclusion order used for Store in the accumulating seman

tics In abstract interpretation larger elements of Abs corresp ond to more

0 0

approximate descriptions so if a v a then a describ es a larger set of con

crete values For example even describ es any set of even numbers and

describ es the set of all numbers

In contrast Scott domains as used in denotational semantics use an

ordering by information content where a larger domain element describ es

a single value that is more completely calculated During a computation

means not yet calculated intuitively a slot to b e lled later in with the

nal value App earance of in a programs nal result signies was

never lled in and so represents nontermination at least in languages

with eager evaluation

A value in a Scott domain represents p erhaps incomplete knowledge

ab out a single program value for example a nite part of an innite func

0 0

tion f The partial order f v f signies that f is more completely

dened than f and that f agrees with f where ever it is dened if

used at all indicates inconsistent values

Clearly this order is not the same as the one used in abstract interpre

tation and the dierence is more than just one of duality

Least or Greatest Fixp oints Literature on dataow analysis as used

in compilers Aho Sethi and Ullman Hecht Kennedy of

ten uses abstract value lattices which are dual to the ones we consider so

larger elements represent more precise descriptions rather than more ap

proximate This is mainly a matter of taste but has the consequence that

greatest xp oints are computed instead of least ones and that the and

of the accumulating semantics are mo delled by u and t resp ectively

We prefer least xp oints due to their similarity to those naturally used in

dening the accumulating semantics

Should t or u b e Used on Converging Paths We have argued that

t naturally mo dels the eect of path convergence b ecause it corresp onds to

in the accumulating semantics On the other hand there exist abstract

interpretations that are not approximations to the accumulating semantics

and for some of these path convergence is prop erly mo delled by u To

see this consider the two dep endence analyses mentioned in section

For analysis I path convergence should b e mo delled by t since a variable

dep endence is to b e recorded if it o ccurs along at least one path For

analysis I I it should b e mo delled by u since a dep endence is recorded only

if it o ccurs along al l paths So the choice b etween t and u on converging

paths is just another incarnation of the mo dality distinction encountered

in section

Abstract Values Viewed as Relations or Predicates

The accumulating semantics binds to each program p oint a set of stores

Supp ose the programs variables are V V so a store is an element of

Store fV V g Value In the examples ab ove there was only one

variable so a set of stores was essentially a set of values which simplied

the discussion considerably The question arises how can we abstract a

set of stores when n

Indep endent Attribute Analyses

Supp ose value sets are abstracted by Value A The independent

v al

attribute method mo dels a set of stores S at program p oint p by mapping

each variable V to an abstraction of the set of values it takes in all the

stores of S This abstract value is thus indep endent of all other variables

hence the term indep endent attribute For example fX Y

X Y g would b e mo delled by X odd Y

Formally we mo del

S Store fV V g Value

by a function

abs Abs fV V g A

p n

The store abstraction function Store Abs is dened by

sto

S V fsV j s S g

sto i v al i i n

For example consider an evenodd analysis of a program with variables

X Y Z The indep endent attribute metho d would abstract a set of two

stores as follows

fX Y Z X Y Z g

sto

X f g Y fg Z fg

v al v al v al

X Y ev en Z odd

The indep endent attribute metho d abstracts each variable indep endently

of all others and so allows cross over eects An example

fX Y X Y g X Y

fX Y X Y g

This loses information ab out relationships b etween X s and Y s values eg

whether or not they always have the same parity

Relational Analyses

Relations and predicates Abstract value abs is an abstraction of the

set of stores acc so the question arises as to how to represent it by a

lattice element An approach used in Cousot a Cousot b is

to describ e acc and its approximations abs by predicate calculus formulas

p p

For instance the set of two stores fX Y X Y g ab ove

could b e approximately describ ed by the formula

oddX oddY ev enX ev enY

More generally supp ose Store fV V g Value Clearly Store is

isomorphic to Value the set of all ntuples of values Thus any set of

stores ie any element of Store can b e interpreted as a set of ntuples

For example store set fX Y X Y g corresp onds to

f g Thus a store set is essentially a set of ntuples or in other

words an nary predicate or relation

For program p oint p the accumulating semantics denes relation

acc v v to b e true just in the case that v v is a tuple of

p n n

values which can o ccur at p in one or more computations on the given ini

tial input data This is the weakest p ossible relation among variables that

always holds at p oint p

Relational Analyses These use more sophisticated metho ds to approx

imate Store which can give more precise information Examples of

practically motivated program analysis problems that require relational in

formation include aliasing analysis in Pascal the recognition of p ossible

substructure sharing in Lisp or Prolog and interference analysis

For an example not naturally represented by indep endent attributes

supp ose we wish to nd out which of a programs variables always assume

the same value at a given program p oint p A suitable abstraction of a set of

stores is a partition that divides the programs variables into equivalence

classes so any one class of contains all variables that have the same value

at p The eect of an assignment such as p XY goto q is that

is obtained from by removing X from its previous equivalence class and

p adding it to Ys class

Intensional versus extensional descriptions Ab ove we represented

store set

fX Y X Y g

by the binary relation f g and approximated it by the sup erset

fxy j x and y are b oth even or b oth o ddg denoted by the predicate

calculus formula

oddX oddY ev enX ev enY

The view of predicate as a set of tuples and predicate as a formula is

exactly the classical distinction b etween the extensional and the intensional

views of a predicate

Descriptions by predicate calculus formulas must of necessity b e only

approximate since there are only countably many formulas but uncount

ably many sets of stores if we assume an innite variable value set In

terms of predicate calculus formulas for each program p oint p the appro

priate formulation of a safe approximation is that acc logically implies

abs In terms of sets of ntuples each acc is a subset of the set of all

p p

tuples satisfying abs

Abstract Interpretation and Predicate Transformers

The new view of the accumulating semantics is given a program and a

predicate describing its input data the accumulating semantics maps every

program p oint to the smallest relation among variables that holds whenever

control reaches that point

From this viewp oint the function next Store Store is

clearly the forward predicate transformer Dijkstra asso ciated with

transitions from p to q Further acc is clearly the strongest postcondition

holding at program p oint p over all computations on input data satisfying

the programs input precondition

Program verication amounts to proving that each acc logically im

plies a usersupplied program assertion for p oint p Note however that this

abstract interpretation framework says nothing at all ab out program ter

mination This approach is developed further in Cousot b and their

subsequent works

Backwards analyses All this can easily b e dualised the backward predi

cate transformer next Store Store is just the inverse of next

and given a program postcondition one may nd the weakest precondition on

program input sucient to imply the p ostcondition at termination For the

simple imp erative language a backward accumulating semantics is straight

forward to construct For the example program

A while n do

B if n even

then C n n D

else E n n F

o d

the appropriate equations are

acc fg acc f g acc

A G B

acc acc E v ens acc Odds

B C E

acc fn j n acc g

C D

acc fg acc f g acc

D G B

acc fn j n acc g

E F

acc fg acc f g acc

F G B

acc S

G f inal

where acc is the set of all stores at p oint p that cause control to reach

p oint G with a nal store in S

f inal

Such a backward accumulating semantics can for example provide a

basis for an analysis that detects the set of states that may lead to an

error More generally backward analyses although not the one shown here

may provide a basis for future sensitive analysis such as live variables

where variable X is semantically live at p oint p if there is a computation

sequence starting at p and later referencing Xs value This is approximated

by X is syntactically live if there is a program path from p to a use of Xs

value Section contains an example of live variable analysis for functional

programs

Many analysis problems can b e solved by either a forwards or a back

wards analysis There can however b e signicant dierences in eciency

Backwards analysis of functional programs The backwards accu

mulating semantics is straightforward for imp erative programs partly b e

cause of its close connections with the well studied weakest preconditions

Dijkstra and b ecause the state transition function is monadic It is

semantically less well understo o d however for functional programs where

recent works include Hughes Dyb jer Wadler and

Nielson Natural connections b etween backwards analyses and con tinuation semantics are seen in Nielson and Hughes

Imp ortant Points from Earlier Sections

In the ab ove we have employed a rather trivial programming language so

as to motivate and illustrate one way to approximate real computations

by computations over a domain of abstract values Cousots accumulating

semantics Before pro ceeding to abstract interpretation of more interesting

languages we recapitulate what has b een learned so far

Computations in the abstract world are at b est semihomomorphic

mo dels of corresp onding computations in the world of actual values

Safety of an abstract interpretation is analogous to reliability of a nu

merical analysts results the obtained results must always lie within

sp ecied condence intervals usually onesided intervals in the case

of program analysis

To obtain safe results for sp ecic applications it is essential to un

derstand the interpretation of the abstract values and their relation

to actual computational values One example is modality eg all

computations versus some computations

Abstract values often do not contain enough information to determine

the outcome of tests so abstract interpretation must achieve the eect

of simulating a set of real computations

Computations on complete lattices of abstract values appropriately

mo del computations on real values

The partial order on these lattices expresses the degree of precision in

an approximate description and is quite dierent from the traditional

Scottstyle ordering based on lling in incomplete information

Termination can b e achieved by choosing lattices without innite

ascending chains

Best approximations to real computations exist in principle but may

b e uncomputable

There are close connections b etween the accumulating semantics

and the predicates and predicate transformers b oth forwards and

backwards used in program verication

Towards Generalizing the Cousot Framework

Abstract interpretation is a semanticsbased approach to program analy

sis but so far we have only dealt with a single rather trivial language

Rather than redo the same work for every new language we set the foun

dations for developing a general framework based on denotational seman

tics This is a widely used and rather general formalism for dening

the semantics of programming languages see Schmidt Stoy

Gordon Nielson a Other p ossibilities include axiomatic and

structural op erational semantics Plotkin and natural semantics Kahn

Nielson a They are also general frameworks but ones in which few

applications to abstract interpretation have b een developed although op

erational semantics seems esp ecially promising

The approach will b e developed stepwise First a denotational seman

tics is given for essentially the simple imp erative language seen b efore This

is then factored into two stages into a core semantics and an interpretation

The interpretation sp ecies the details relevant to a sp ecic standard or

abstract interpretation of the programs values and op erations and the

core semantics sp ecies those parts of the semantics that are to b e used in

the same way for all interpretations It is then shown how given a xed

core semantics interpretations may b e partially ordered with resp ect to

degree of abstractness and it is shown that a concrete interpretations

execution results are always compatible with those of more abstract in

terpretations This provides a basis for formally proving the safety of an

analysis for example by showing that a given abstract interpretation is an

abstraction of the accumulating interpretation The last step is to describ e

briey a way to generalize this approach to denotational denitions of other

languages this gives a bridge to the development of section

Earlier pap ers using this approach include DonzeauGouge Nielson

Jones

Denotational semantics has three basic principles

Every syntactic phrase in a program has a meaning or denotation

Denotations are welldened mathematical ob jects often higherorder

functions

The meaning of a comp ound syntactic phrase is a mathematical com

bination of the meanings of its immediate subphrases

The last assumption is often called compositionality or according to

Stoy the denotational assumption Phrase meanings are most often given

by expressions in the typed lambda calculus although other p ossibilities

exist A denotational language denition consists of the following parts

a collection of domain denitions to b e used as types for the lambda expressions used to dene phrase meanings

a collection of semantic functions usually one for each syntactic

phrase type

a collection of semantic rules dening them expressing the meanings

of syntactic phrases in terms of the meanings of their substructures

usually by lambda expressions

A tiny denotational language denition For an example consider a

language of whileprograms with abstract syntax

c Cmd x e j c c

j if e then c else c j while e do c

e Exp x j Constant j ope e

where x is assumed to range over a set Var of variables op is a basic

op eration eg and Constant denotes any member of a not

further sp ecied set Value of values The part of a denotational semantics

relevant to commands could b e as follows where the traditional semantic

parentheses and enclose syntactic arguments In the following Store

and Value are as b efore except that for concreteness we sp ecify Value is

the set of numbers Each can b e thought of as a at Scott domain with

0 0

d v d i d or d d

Sp ecifying the semantics of a while lo op requires as usual evaluating

a xp oint over domain Store Store ordered p ointwise s v s i sx

v s x for all variables x

Domain denitions

s Store Var Value

Value Number

Types of semantic and auxiliary functions

C Cmd Store Store

E Exp Store Value

Semantic rules

Cx e s sx Ee s

Cc c s CcCc s

Cif e then c else c s Ee s Cc s Cc s

Cwhile e do c x s Ee Cc s s Note that all the rules are comp ositional

Factoring a Denotational Semantics

The principle of comp ositionality provides an ideal basis for generalizing

the denotational semantics framework to allow alternate nonstandard in

terpretations in addition to the standard semantics dening the meanings

of programs The idea is to decomp ose a denotational language denition

into two parts

a core semantics containing semantic rules and their types but using

some uninterpreted domain names and function symbols and

an interpretation lling out the missing denitions of domain names

and function symbols

The interpretation is clearly a manysorted algebra Examples include the

standard interpretation dening normal program execution an accumu

lating interpretation analogous to the accumulating semantics of section

and as well more approximate and eectively computable interpretations

suitable for program analysis eg for parity analysis

Scott Domains versus Complete Lattices In denotational semantics

the denoted values are nearly always elements of domains in the sense

of Dana Scott and others These are cp os complete partial orders with

usually required to b e algebraic For material on domains see the list

of references in the b eginning of this chapter

On the other hand for abstract interpretation purp oses it is usual to

use complete lattices for reasons mentioned earlier There is no basic con

ict here since cp os include complete lattices as a sp ecial case On the

other hand the interpretation of the partial order is somewhat dierent in

semantics than in abstract interpretation as mentioned in section so

some care must b e taken This matter is further addressed in section

An example factorized semantics For the imp erative language ab ove

we obtain the following where domains Sto and Val and functions assign

seq cond while are unsp ecied

Domain denitions

M Sto Sto

C md

M Sto Val

E xp

Sto Val unsp ecied

Types of semantic and auxiliary functions

C Cmd M

C md

E Exp M E xp

assign Var M M

E xp C md

seq M M M

C md C md C md

cond M M M M

E xp C md C md C md

while M M M

E xp C md C md

Semantic rules

Cx e assignx Ee

Cc c seqCc Cc

Cif e then c else c condEe Cc Cc

Cwhile e do c whileEe Cc

The standard interpretation This is I Val Sto assign seq

std

cond while dened by

Domains

Val Number the at cp o

Sto Var Val

Function denitions

assign x m s sx m s

e e

seq m m m m

c c c c

cond m m m s m s m s m s

e c c e c c

while m m x s m s m s s

e c e c

The Evenodd Interpretation

With the current machinery a general formulation of the evenodd analysis

of section may b e given as our rst nonstandard interpretation

I Val Sto assign seq cond while

par ity

where Val etc are given by

Domains

Val f even o dd g with partial order

v even v and v o dd v

Sto Var Val

Function denitions

assign x m s sx m s

e e

seq m m m m

c c c c

cond m m m s m s t m s

e c c c c

while m m x s m s t s

e c c

Remarks

This is an independent attribute approximation a set of stores is

mo delled by mapping its variables values indep endently to elements

of Val

For the conditional no attempt is made to simulate the test In

stead the b est description tting b oth the then and else branches is

pro duced

The xp oint clearly mo dels the one in the standard interpretation

again without simulating the test Termination is assured since Sto

has nite height and any one program has a nite number of variables

The Accumulating Semantics as an Interpretation

The accumulating semantics seen earlier was only given by example With

the current machinery a general formulation may b e given I Val

acc

Sto assign seq cond while where Val etc are given by

Domains

Val Number

Sto Storeset typical element S

Storeset Var Val a set of stores

Function denitions

assign x m S fsx v j s S and v m fsgg

e e

seq m m m m

c c c c

cond m m m S

e c c

m fs S j m fsgg m fs S j m fsgg

c e c e

while m m x S

e c

fs S j m s g m fs S j m s g

e c e

Here the denotation of CCmd has b een lifted from Sto Sto to Sto

Sto so it now transforms a set of current states into the set of

p ossible next states To relate this to the earlier accumulating semantics

of section consider for example the program fragment C n n

D of section Then

Cn nacc acc

C D

In general Cc realizes the same transformation on store sets as dened by the data ow equations for command c

Proving Safety by Logical Relations

Safety from a Denotational Viewp oint

Supp ose we are given two interpretations

I Val Sto assign seq cond while

and

I Val Sto assign seq condwhile

and a pair of abstraction functions

Val Val Sto Sto

v al sto

where and are monotone We write this as I I Dene s v

v al sto

s to hold i s X v sX for all variables X Var

Denition I I is safe if for all c Cmd and s Sto

c s C c s v C

sto sto I I

where C Sto Sto is the semantic function obtained using assign seq

etc and C is analogous but using assign seq etc

0 0

Recall that a v a signies that a is a more approximate description

than a This denition says that the result of computing in the real

world and then abstracting the resulting store gives a result that is safely

approximable by rst abstracting the real worlds initial store and then

computing entirely in the abstract world It is thus simply a reformula

tion in denotational terms of the earlier condition on safe approximation

of transitions

next S v next S

pq pq

where p and q are resp the entry and exit p oints of command c and

plays the role of

A Sucient Lo cal Condition for Safety

While pleasingly general this denition is unfortunately global it quan

ties over all commands c It would b e strongly desirable to have local

conditions on assign seq etc sucient to guarantee safety in the sense

ab ove This can b e done but requires rst setting up a bit of descriptive

machinery The problem is that denotational denitions use higher order

functions and cartesian pro ducts whereas the earlier conditions for safety

were developed only for rst order domains

The solution we present is an instance of logical relations an approach

to relating values in dierent but simlarly structured domains that will b e

developed further in Section

Supp ose we have two interpretations I and I of our simple imp erative

core semantics related by Val Val Sto Sto where

v al sto

and are again monotone Our goal is to see how to extend to

v al sto

apply to all domains built up from those of I and I Supp ose further that

domain A is built by and from the domains of I and a corresp onding

domain A is built in the same way from the domains of I We dene

the binary relation a a which will hold whenever a A is a safe

approximation of the corresp onding element a A

0 0

Denition Supp ose Val Val and v Val v Val Then

v al

0 0

v v if and only if v v v and similarly for Sto

v al sto

Sto

0 0

Let a b AB a b AB and A A B B

A B

b e monotone Then

0 0

a b a b

if and only if

0 0

b a and b a

B A

Let f A B g A B and A A B B b e

A B

monotone Then

f g if and only if

0 0 0 0

g a a impliesf a a A a A a

B A

This notation allows an alternate characterization of safety

Lemma I I is safe if and only if C c C c for all c Cmd

I I

Pro of If by C c C C c holds if and only if C cs c

0 0

sto

I I I I

s In particular we have s s hence s whenever s

sto

c s C cs v C

sto sto I I

so is safe as dened b efore

Only if if is safe and s s then

0 0

c s c s v C C c s v C

sto I sto I I

c easily veried 2 by monotonicity of C

It is now natural to extend the denition of to allow comparison of

interpretations Given this we are nally ready to dene a lo cal safety con

dition which implies global safety Pro of is by a straightforward induction on program syntax

Denition Let I I b e dened as ab ove Then I I if and only

assig n assig n

seq seq

cond cond

w hil e w hil e

Theorem I I is safe if I I

A straightforward generalization of these ideas to arbitrary denotational

denitions provides a very general framework for program analysis by in

terpreting programs over nonstandard domains and gives a way to show

that one abstract interpretation is a renement of and compatible with

another This observation is the starting p oint for the development in the

section b elow

For a very simple example the following is easy to show Its signi

cance is that the accumulating semantics is a faithful extension of with the

standard semantics

Lemma Let I Val Sto assign seq cond while and I Val

std acc

Sto assign seq cond while b e the standard and accumulating seman

tics Then I I where v fvg for v Val and s fsg

std acc v al sto

for s Sto

3 Abstract Interpretation Using a TwoLevel

Metalanguage

In the previous section we have given a survey of many concepts in abstract

interpretation We have stressed that abstract interpretation should b e

generally applicable to programs in a wide class of languages that it should

always pro duce correct prop erties and that it should always terminate

To ensure the general applicability of abstract interpretation we adopt

the framework of denotational semantics Most mo dern approaches to de

notational semantics stress the role of a formal metalanguage in which the

semantics is dened So rather than regarding denotational semantics as

directly mapping programs to mathematical domains one regards denota

tional semantics as factored through the metalanguage This is illustrated

by the upp er half of Figure First one uses the semantic equations to

expand programs into terms in the metalanguage and then one interprets

the terms in the metalanguage as elements in the mathematical domains used in denotational semantics

Domains

Denotational

Standard

Semantics

Interpretation

Semantic

Programs

Terms

Equations

Abstract H

H Interpretation

Semantics H

Prop erties

Fig The Role of the Metalanguage

Following our informal presentation of a parameterised semantics in

Subsection we take a similar factored approach to abstract interpreta

tion This is illustrated in the lower half of Figure which furthermore

stresses that the semantic equations are the same The Semantic Equa

tions thus corresp ond to the core semantics of Subsection From the

p oint of view of developing a general theory the fo cus will b e on the met

alanguage but we trust that the reader will b e able to see for himself that

the development is of wider applicability than just the simple metalan

guage considered here Its syntax is dened in Subsection and we give

example interpretations ie semantics in Subsection

Correctness of abstract interpretation will b e our guide throughout the

development In Subsection we therefore give a structural denition of

correctness relations b etween interpretations thereby extending the devel

opment surveyed in Subsection As an example we dene correctness

relations b etween the standard interpretation and one of the abstract in

terpretations dened in Subsection

Closely related to the question of correctness is the question of whether

b est induced prop erty transformers exist over the abstract domains We

treat this in Subsection and we consider the easier case of relating

abstract interpretations to one another as well as the harder case of relating

an abstract interpretation to the standard interpretation Induced prop erty transformers need not terminate but are none the less useful as guides in

determining the degree of approximation that will b e needed to ensure

termination

The termination asp ect motivates the study in Subsection of coarser

versions of the induced prop erty transformers which have the advantage of

leading to analyses that will always terminate Subsection concludes by

mentioning some generalisations that are p ossible Nielson and by

discussing some issues that have not yet b een incorp orated in this treate

ment

Syntax of Metalanguage

Most metalanguages for denotational semantics are based on some version

of the calculus Dep ending on the kind of mathematical foundations

used for denotational semantics the metalanguage may b e without explicit

types or it may have explicit types We shall not pay great attention to this

dierence and in many instances the various algorithms for p olymorphic

type inference may b e used to introduce types into an untyped notation

As our starting p oint we thus assume that our metalanguage is a small

typed calculus

Denition The Typed Calculus has types t T and expressions

e E given by

t A j t t j t t

e f t j he e i j fst e j snd e j

x t e j e e j x j fix e j if e then e else e

i i

Concerning types we have base types A where i ranges over a countable

index set say I and we have pro duct and function space Here binds

more tightly than and b oth asso ciate to the right We shall not sp ecify

the details of the countable index set but we shall assume that we have

b o oleans A also written Bool integers A also written Int and

b o ol int

other useful base types However nothing precludes us from having a base

type A of machine stores and if the store contains just two values say

sto

an integer and a b o olean we may write A for A The dierence

intb o ol sto

b etween types like A and A A will b ecome clear in Subsection

intb o ol int b o ol

Concerning expressions we have basic expressions f t of type t where

again i ranges over a countable index set This index set need not b e

the same as the one used for the A ab ove but whenever we need to name

it we shall use the same symbol I as ab ove Again we exp ect to have

familiar basic expressions like the truth values f Bool and f Bool

true false

also written trueBool and falseBool or just true and false integers like

f Int also written Int or just and simple op erations like equality

f IntIntBool also written IntIntBool or just Much as

for the A nothing prevents us from writing eg

f IntIntBool in order to clarify the intended meaning of

xyxyy

some basic expression The remaining constructs for expressions are pair

ing selection of comp onents abstraction application variables xed

p oints and conditional We shall assume that application binds more tightly

than fst snd and fix

The use of underlining

We shall p ostp one the discussion ab out wellformedness of expressions in

the typed calculus b ecause the syntax is not yet in a form that will suit

our purp ose to prescrib e a systematic approach to separating a denota

tional semantics into its core part and its interpretation part to use the

terminology of Subsection To motivate this we recall from Section

that for a given programming language or example semantics there are

some constructs that we might wish to interpret in dierent ways in dif

ferent analyses whereas there are other constructs that we might as well

interpret in the same way in all analyses To indicate this distinction in

a precise way we shall use the convention that underlined constructs are

those that should have the freedom to b e interpreted freely

Beginning with the types we might consider a syntax as given by

t A j A j t t j t t

i i

instead of A whenever the also written Int so that we would use A

int int

integers are used in a context where we would like to p erform abstract

interpretation up on their values Thus if we want to consider the store of

an imp erative programming language as a base type we will always use A

sto

rather than A If we want to consider a structured version of the store

sto

where we have a xed set A of identiers and a xed set A of values

ide val

rather than eg A A or A A we shall use A A

val ide val ide val ide

However this notation for types do es not allow us to illustrate all the

p oints we will need for a general theory of abstract interpretation although

it would suce for formalizing the development in Subsection Exam

ples include the discussion of forward versus backward analyses and the

discussion of indep endent attribute versus relational metho ds To cater for

this we prop ose the syntax

t j t t j t t j t t j t t A j A

i i

and we shall use the phrase twolevel types for these This will turn out to

b e a bit to o lib eral for our abilities so we shall need to imp ose various well formedness conditions up on the types but in order to motivate them it is

b est to p ostp one this until they are needed for the technical development

In actual applications there might well b e the need for distinguishing b e

tween various o ccurrences of and and one might then allow a notation

like and where i ranges over some index set However as the theory

i i

hardly changes we shall leave this extension to the reader

Turning to the expressions a simple solution would b e to keep the

syntax of expressions as given in Denition with the understanding

that the types t in the basic expressions f t now range over the larger

set of twolevel types However this is not quite in the spirit of the typed

calculus as we now have types without corresp onding constructors and

destructors We shall therefore adopt a more comprehensive syntax of

expressions by extending the use of underlining to the expressions

Denition The Twolevel Calculus has types t T and expres

sions e E given by

t j t t j t t j t t j t t A j A

i i

e f t j he e i j h e e i j fst e j fst e j snd e j snd e j

x t e j x t e j e e j e e j x j

i i i

e j if e then e else e j if e then e else e fix e j fix

Here the intention is that if eg e is of type t and e is of type t then

he e i will b e of type t t and h e e i will b e of type t t and similarly

for the other op erators We do not have two versions of f t as f t simply

i i

is a basic expression of the type indicated nor do we have two versions of

x as x simply is a placeholder for a p ointer to the enclosing x or x

i i i i

In this notation an op eration seq for sequencing two commands op erating

on a store Sto might b e dened by

Sto x StoSto x Sto x x x seq x Sto

sto sto

It will have type

StoStoStoStoSto Sto

and may b e used as in C c c seqC c C c

Combinators

The motivation b ehind the use of underlining was to separate the more dy

namic constructs that need to b e interpreted freely from the more static

constructs whose interpretation never changes Unfortunately the twolevel

calculus is not in a form that makes this suciently easy The problem

is the o ccurence of free variables and esp ecially those b ound by This is not a novel problem and solutions have b een found

When interpreting the typed calculus in arbitrary cartesian closed

categories one studies certain combinators categorical combinators

whose interpretation in a cartesian closed category is rather straight

forward

When implementing functional languages one often transforms pro

grams to combinator form b efore p erforming graph reduction

This motivates

Denition The Twolevel Metalanguage has types t T and ex

pressions e E given by

t j t t j t t j t t j t t A j A

i i

e f t j he e i j Tuplehe e i j fst e j Fst e j snd e j Snd e

j x t e j Curry e j e e j Applyhe e i j x j Idt j e 2e

i i

j Constt e j fix e j Fix e j if e then e else e j Ifhe e e i

Here we have retained those expression constructs that were not under

lined we have replaced the underlined expression constructs by combina

tors and we have added the new combinators Idt 2 and Constt We

shall regard application as binding more tightly than the prexed op erators

fst Fst snd Snd Curry Constt fix and Fix The intention with

the combinators may b e claried by

Tuplehe e i x he x e x i

Fst e x fst e x

Snd e x snd e x

Curry e x x e hx x i

Applyhe e i x e x e x

Idt x x

x e e x e 2 e

Constt he i x e

Fix e x fix e x

Ifhe e e i x if e x then e x else e x

This should b e rather familiar to anyone who knows a bit of categorical logic

or a bit of a functional language like FP In this notation the sequencing

op erator seq used ab ove simply is

seq x Sto Sto x StoSto x 2 x

tenv f t t if t

cc i c

tenv e t tenv e t

cc cc

tenv he e i t t

tenv e t t tenv e t t

cc cc

tenv Tuplehe e i t t t

if t t t t t t t

tenv e t t

tenv fst e t

tenv e t t t

tenv Fst e t t

if t t t t t

tenv e t t

tenv snd e t

tenv e t t t

tenv Snd e t t

t t t t if t

tenv t x e t

i cc

if t

tenv x t e t t

cc i

tenv e t t t

tenv Curry e t t t

if t t t t t t

tenv e t t tenv e t

cc cc

tenv e e t

tenv e t t t tenv e t t

cc cc

tenv Applyhe e i t t

if t t t t t t t

tenv x t if t tenv x t

cc i c i

Table Wellformedness of Expressions part

and thus there hardly is any need to name it

To complete the denition of the twolevel metalanguage we must ex

plain when expressions are wellformed We have already said that we

shall need to imp ose conditions on the types as we go along and the well

formedness condition will b e inuenced by this although in a rather indirect

way As we shall see later these parameters may restrict types so that they

eg denote complete lattices We shall therefore write TMLcc for a

tenv Idt t t if t t

cc c

tenv e t t tenv e t t

cc cc

tenv e 2 e t t

if t t t t t t

tenv e t

tenv Constt e t t

if t t t

tenv e t t

tenv fix e t

t t tenv e t

tenv Fix e t t

if t t t t t

tenv e Bool tenv e t tenv e t

cc cc cc

tenv if e then e else e t

tenv e t Bool tenv e t t tenv e t t

cc cc cc

tenv Ifhe e e i t t

Bool t t t t t t if t

Table Wellformedness of Expressions part

version of the twolevel metalanguage where types are constrained as indi

cated by the parameters c and c We then write t to express that

the type t is wellformed with resp ect to the constraint c Whenever we

say that t is a wellformed type of TMLcc we shall mean t b ecause

in general c will b e more lib eral than c ie c will imply c Next we

write

tenv e t

for the wellformedness of an expression e of intended type t assuming that

the free variables of e have types as given by tenv Here tenv is a type

environment ie a mapping from a nite subset of the variables fx ji I g

to the types T We refer to Tables and for the denition of tenv e

t but we p oint out that the constraint c is used to constrain the types of

variables whereas the constraint c is used to constrain the types of basic expressions and combinators

We shall say that the expression e is closed if it has no free variables so

that tenv may b e taken as a mapping from the empty set Also we shall

say that a combinator is used with type t if t is the side condition

that needs to b e veried in order to apply the rule for As an example 2

is used with type Sto StoStoStoStoSto in the expression

for seq displayed ab ove

Fact If tenv e t and tenv e t then t t 2

cc cc

Pragmatics of the metalanguage

We shall end this subsection with a few pragmatic considerations ab out the

relationship b etween the twolevel metalanguage and the typed calculus

we to ok as our starting p oint One of our rst p oints was not to pay

great attention to the dierence b etween a typed calculus and an un

typed calculus b ecause the various algorithms for type analysis might

b e of use in transferring types into an otherwise untyped expression In

quite an analogous way we shall not pay great attention to the dierence

b etween a typed calculus and a twolevel calculus as one can develop

an algorithm for binding time analysis Nielson b that is useful for

transferring the underlining distinction into a typed expression without

this distinction Continuing this line of argument we shall not pay great

attention to the dierence b etween a twolevel calculus and the twolevel

metalanguage adopted in Denition b ecause one can develop a vari

ant of bracket abstraction called twolevel lifting Nielson c that

will aid in transforming underlined constructs to combinator form

The choice of combinators in the twolevel metalanguage suits the

calculus well but one may regard them as nothing but gloried versions of

the basic expressions f t ie that for a few of the basic expressions f t

i i

we have decided to use a dierent syntax This means that one could as

well study combinatorlike basic expressions that would b e more suitable

for languages like PASCAL PROLOG OCCAM or action semantics

However we always have the notation available and we would only wish

to restrict this in settings where the resulting metalanguage is so big as

to make it hard to develop an analysis We shall see examples of this in

the next subsection where we dene the parameterised semantics of the

metalanguage

Sp ecication of Analyses

Following most approaches to denotational semantics we shall interpret

the types of the metalanguage as domains We saw in Section that for

abstract interpretation there is a sp ecial interest in the complete lattices

and we shall restrict our attention to the algebraic lattices which are those

complete lattices that are additionally domains Roughly the idea will

b e to interpret the nonunderlined type constructs as domains whereas

underlined type constructs will b e interpreted as algebraic lattices when

we are sp ecifying abstract interpretations and as domains when we are

sp ecifying the standard interpretation

To b e selfcontained we shall briey review a few concepts that have

b een treated at greater length in previous chapters of this handb o ok

Denition A chain in a partially ordered set D D v is a se

quence d of elements indexed by the natural numbers such that d vd

n n n m

whenever nm A cpo D is a partially ordered set with a least element

and in which every chain d has a necessarily unique least upp er

n n

b ound d The cp o D is consistently complete if every subset Y of D

n n

that has an upp er b ound in D also has a least upp er b ound Y in D An

element b in a cp o D is compact if whenever b v d for a chain d we

n n n n

have some natural number n such that b vd A subset B of D is a basis

if every element d of D can b e written as d b where b is a chain

n n n n

in D with each b an element of B A domain is a consistently complete

cp o with a countable basis B of compact elements We shall use the term

algebraic lattice for those complete lattices that are also domains ie for

those domains in which any subset has an upp er b ound 2

Denition A function f D E from a domain D D v to an

other domain E E v is monotonic if it preserves the partial order and

is continuous if it preserves the least upp er b ounds of chains ie f d

n n

f d It is additive sometimes called linear if it preserves all least

n n

F F

upp er b ounds ie f Y ff y jy Y g whenever Y has a least upp er

b ound It is binary additive if f d td f d tf d and is strict if it

preserves the least element ie f It is compact preserving if it

preserves compact elements ie f b B whenever b B A continuous

E D

function f D D from a domain D D v to itself has a least xed p oint

given by FIXf f ie f FIXf FIXf and whenever f d

d or indeed f d v d we have FIXf v d 2

Denition A predicate P over a domain D D v is a function

from D to the set ftruefalseg of truth values It is admissible if P holds

and if P d holds whenever d is a chain such that P d holds for

n n n n n

every element d For an admissible predicate P we have the induction

principle

P d P f d

P FIXf

whenever f is continuous In a similar way we dene the notion of ad

missible relation since a relation b etween the domains D D n is

nothing but a predicate over the cartesian pro duct D D where the

partial order is given in the usual comp onentwise manner 2

Interpreting the types

For a type t the denition of its interpretation t I is by structure on the

syntax of t As we shall see it will make use of the parameter I whenever

underlined constructs are encountered Actually the parameter I may b e

t e

regarded as b eing a pair I I and for the denition of t I it is only

the I comp onent that will b e needed

A I some a priori sp ecied domain A

i i

with A the domain ftruefalseg of b o oleans

b o ol

and A the domain fg of integers

int

t t I t I t I

where the elements are the pairs of elements

and the partial order is dened comp onentwise

t t I t I t I

where the elements are the continuous functions

and the partial order is f vg i d f d v g d

I I A

t I I t I t I t

t t I I t I t I

The demands on the parameter I are expressed in

Denition An interpretation I or I of types is a sp ecication

a prop erty I P of domains eg is a domain or is an algebraic

lattice

for each i a domain I with prop erty P

t t

op erations I and I on domains with prop erty P such that the

result is a domain with prop erty P

We shall use the term domain interpretation for an interpretation of types

where the prop erty P equals is a domain and we shall use the term lattice

interpretation for an interpretation of types where the prop erty P equals

is an algebraic lattice 2

Clearly domain interpretations are of relevance when sp ecifying a stan

dard semantics and lattice interpretations are of relevance when sp ecifying

abstract interpretations

Unfortunately we will have to imp ose certain wellformedness conditions

up on types for the ab ove equations to dene a domain As an example

Int will not b e wellformed b ecause Int

t t

Int Int I I A I

int

is an algebraic lattice eg that for the detection and even though I

int

of signs A is not and so one cannot apply I when I is a lattice

int

interpretation Since we have argued that the use of algebraic lattices is

a very natural setup for abstract interpretation we conclude that we should

Int ban Int

With this motivation we shall dene the predicates

ltt to ensure that t will b e interpreted as an algebraic l attice when

p erforming abstract interpretation

dtt to ensure that t will b e interpreted as a d omain in any inter

pretation

Denition The predicates lt for lattice type and dt for domain

type are dened by

A A t t t t t t t t

i i

lt false true lt lt lt lt dt lt lt lt

dt true true dt dt lt lt dt dt lt lt

where we write lt for ltt etc 2

We shall regard a type t as b eing wellformed whenever dtt holds and

write t as a record of this

Prop osition The equations for t I dene a domain when t is a

wellformed type in TMLdtdt and I is a domain or lattice interpretation

Pro of Let I b e an interpretation of types that sp ecies the prop erty

I P where PD either means that D is a domain or that D is an

algebraic lattice By induction on the structure of types t we will show

if dtt then t I sp ecies a domain

if ltt then dtt and t I has prop erty P

The cases A and A are straightforward The case t t follows b ecause

i i

D D is a domain whenever D and D are and an algebraic lattice when

t follows from the assumptions The ever D and D are The case t

case t t follows b ecause D D is a domain when D and D are and

an algebraic lattice when D is a domain and D is an algebraic lattice

The case t t follows from the assumptions 2

We thus see that a type like Int Int is not wellformed whereas general

ising Nielson a type like IntIntInt will b e wellformed and

will denote an algebraic lattice in any abstract interpretation ie in any

lattice interpretation Furthermore it should now b e clear that A

intb o ol

A A A A and A will b e treated dierently in the seman

intb o ol int b o ol int b o ol

tics

Interpreting the expressions

To dene the meaning of a wellformed expression we shall consider a type

environment tenv with domain fx x g and a wellformed expression e

of type t ie

tenv e t

dtdt

Without loss of generality we may assume that t whenever t tenv x

dt i i i

as otherwise x could b e removed from the type environment due to the

formulation of the axiom for x in Table The semantics of e relative to

the interpretation I is an entity

e I t I t I t I

tenv n

where again t tenv x That this makes sense is a consequence of

i i

Fact If tenv e t then t 2

dtdt dt

The denition of e I is by structural induction on e and again we

tenv

t e

shall use the interpretation I ie I I supplied as a parameter when

we come to the underlined constructs Writing e I for e I we

tenv

have

f t I I

he e i I e I e I

Tuplehe e i I I e I e I where Tuple is used

Tuplet

with type t

fst e I d where d d e I

Fst e I I e I where Fst is used with type t

Fstt

snd e I d where d d e I

Snd e I I e I where Snd is used with type t

Sndt

It is rather demanding to assume that domtenv is always of the form fx x g

for some natural number n but as it simplies the notation considerably we shall stick

to this assumption Alternatively one might mo del a type environment as a list of pairs

of the form x t

i i

x t e I d t I e I d x

i i

tenvt x

where d d d x d d d if in

n i n

and d d d x d d d if in

n i n

Curry e I I e I where Curry is used with type t

Curryt

e e I e I e I

Applyhe e i I I e I e I where Apply is used

Applyt

with type t

x I d where d d

i i n

Idt I I

Idt ! t

e 2 e I I e I e I where 2 is used with type t

e I where Constt is of type t Constt e I I

Constt

fix e I FIXe I

Fix e I I e I where Fix is used with type t

Fixt

e I if e I true

e I if e I false

if e then e else e I

if e I

e I e I e I where If is used Ifhe e e i I I

Ift

with type t

To prevent any misconception we p oint out that the pattern matching eg

d where d d e I

may b e replaced by the use of explicit destructors eg

p where p e I

and that similarly the where may b e replaced by textual substitution eg

e I

The demands on the parameter I are claried by

Denition An interpretation I is a sp ecication of

an interpretation I of types that is a domain interpretation or a

lattice interpretation

for each basic expression or combinator an entity in the required domain ie

I t I

t I t I t t I

0 00 0 00

t !t !t !t !t t Tuplet !

t t t I

t I t t I t t I

0 00 0

t t !t !t Fstt !

t t I t t I t I

0 00 00

t t !t !t Sndt !

t t I t t t I t I

00 0 00 0

t !t !t !t !t Curryt

I t t t I t t I

0 00 0 00

Applyt ! t !t !t !t !t !t

t I t

I t I t

Idt ! t

t I t I t t I t t I

00 0 00 0

t !t !t !t !t 2t !

t I t t I I

0 0

t Constt !t !

t t I t t I t I

0 0 0

t !t !t !t Fixt !

I BoolI t t I t

0 0 0

Ift ! Bool !t !t !t !t !t !t

t I t t I t

are such Here we must assume that the types t indexing each I

that I is only applied to wellformed types ie types t such

that t and this is equivalent to assuming that t

dt dt

To simplify the notation we shall henceforth feel free to omit the type and

type environments as subscripts and thus write e I for e I and

tenv

e e

for I In a sense we regard the combinators as having a kind of I

p olymorphic interpretation

Prop osition The equations for e I dene a value when e is a

wellformed expression in TMLdtdt and I is a domain or lattice inter

pretation 2

Pro of The assumptions on I ensure that t I is a welldened do

main whenever t We shall show by structural induction on an expres

sion e that

if tenv e t where domtenv fx x g tenv x t and

dtdt n i i

dt i

then e I t I t I t I and this domain do es

tenv n

exist

The pro of makes use of Fact to ensure that the type t of e is unique so

that also the types indexing each I are unique Furthermore it makes use

of Fact to ensure that the type t of e is wellformed so that given the

inference rules of Tables and we only request a I in a domain that

must exist by Prop osition The structural induction is now mostly

straightforward and we shall omit the details 2

Example interpretations

We now present a total of ve examples a lazy standard semantics detec

tion of signs in an indep endent attribute formulation strictness liveness

and detection of signs in a relational formulation The main p oint of

these examples is to demonstrate the generality obtained by varying the

interpretation of the underlined types and type constructors The last two

examples are somewhat technical and the details are not vital for the re

mainder of the development

Example Lazy Standard Semantics In this example we dene

the standard semantics of the metalanguage This amounts to sp ecifying a

domain interpretation S and for types we have

equals is a domain the prop erty S

S A the a priori chosen domains for the types A

i i

t t

S cartesian pro duct and S continuous function

space

In other words we do not distinguish b etween underlined and nonunderlined

types and constructors and this should not b e surprising in a standard se

mantics We may note from this example that wellformedness of a type

t is a sucient condition for t S to b e dened but it is not necessary

as t S is in fact dened as a domain for all types t If we wanted an

eager standard semantics instead we might take S to b e a socalled smash

pro duct and S to b e strict function space

Turning to the expression part we have

is some a priori xed element of t S S

eg S true etc

true

S v v w v w v w

Tuple

S v w d where d d v w

Fst

S v w d where d d v w

Snd

S v w w v w w

Curry

S v v w v w v w

Apply

S w w

S v v w v v w

S v w v Const

S v w FIXv w

Fix

v w if v w true

v w if v w false

S v v v w

if v w

This denition is in agreement with the informal explanation of the com

binators that we gave in Subsection 2

Example Detection of Signs I In this example we do need

the distinction b etween underlined and nonunderlined types in order to

b e able to formalize the abstract interpretation for detecting the signs of

the integers We sp ecify a lattice interpretation I and for types we have

equals is an algebraic lattice the prop erty I

include the lattices I

b o ol

int

t t

I cartesian pro duct and I continuous function space

Turning to the expressions we have

I is some a priori xed element of t I

e e

eg I tt I etc

true

v v w v w v w I

Tuple

v w d where d d v w I

Fst

I v w d where d d v w

Snd

I v w w v w w

Curry

v v w v w v w I

Apply

I w w

I v v w v v w

I v w v

Const

I v w FIXv w

Fix

v w if v w tt

v w if v w

I v v v w

if v w

v w tv w if v w

is welldened we shall as To see that I

0 0 0

Bool !t !t !t !t !t !t Ift !

sume that the type in the subscript is wellformed Then we have ltt so

that by the pro of of Prop osition the domain t I is a complete

lattice Hence the least upp er b ound exists and as the binary least up

will b e an element of the required p er b ound op eration is continuous I

continuous function space 2

Example Strictness Simplifying the lattices of the previous ex

ample we arrive at a strictness analysis Since this analysis is by far the

most cited analysis for lazy functional languages we briey present its sp ec

ication As in the previous example we sp ecify a lattice interpretation T

and for types we have

the prop erty T equals is an algebraic lattice

the lattices T are

t t

T cartesian pro duct and T continuous function

space

Turning to the expressions we have

is some a priori xed element of t T T

e e

eg T T etc

true

T v v w v w v w

Tuple

v w d where d d v w T

Fst

v w d where d d v w T

Snd

T v w w v w w

Curry

T v v w v w v w

Apply

w w T

T v v w v v w

T v w v

Const

T v w FIXv w

Fix

if v w

T v v v w

v w tv w if v w

Welldenedness of this sp ecication follows much as in the previous ex

ample 2

Example Liveness In the previous two examples we used the

ability to interpret the A in a dierent manner than in the standard seman

tics In this example we shall additionally need the ability to interpret the

type constructor in a dierent manner than in the standard semantics

The reason for this is that liveness analysis is a backward analysis which

means that the direction of the analysis is opp osite to the ow of control

We sp ecify the analysis by dening a lattice interpretation L and for types

we have

equals is an algebraic lattice the prop erty L

the lattices L are

live

dead

t t

the op erators are L cartesian pro duct and L ie

L D E D E E D which is the domain of continuous func

tions from E to D

Intuitively dead means will never b e used later in any computation while

live means may b e used later in some computation It might b e argued

that the analysis should b e called a deadness analysis b ecause it is the

prop erty dead that can b e trusted however it is common terminology to

use the term liveness analysis We should also p oint out that a backwards

liveness analysis for owchart programs has b een seen b efore in section

Note that the backward nature of the analysis is recorded by inter

as just as the forward nature of an analysis is recorded by preting

interpreting as as in the previous example

Turning to expressions we shall imp ose additional constraints on the

types that these are allowed to have The motivation is that liveness anal

yses usually are developed for owchart languages only and here we do not

wish to give a more encompassing denition Doing so is indeed a hard

research problem as it seems to involve mixing forward and backward com

as is likely to b e to o p onents into one analysis hence interpreting

simpleminded in the general case Hughes Ammann

Denition The predicates sr and sc are dened by

A A t t t t t t t t

i i

sr false true false sr sr false false

sc true false sc sc false sc sc sr sr

These acronyms relate to previous pap ers by one of the authors and sr stands for

runtime types in TML whereas sc stands for compiletime types in TML

s s

The intention with srt is that t is an allunderlined pro duct of base types

and the intention with sct is that t only contains underlined constructs if

these constructs are parts of an allunderlined type with just one function

space constructor in it Clearly srt implies ltt and hence dtt and

sct implies dtt We may thus restrict our attention to types that

satisfy the predicate sc For expressions this means that we do not need

t t t t t no longer is wellformed to interpret Curry as t

Apply as t t t t t t t no longer is wellformed Fix

as t t t t t no longer is wellformed or Const as t t t

no longer is wellformed The expression part L of an interpretation for

TMLscsc may thus b e sp ecied by

L is some a priori xed element of t L

if w live

eg L w

if w dead

L v v w w v w tv w

Tuple

L v w v w

Fst

L v w v w

Snd

w w L

L v v w v v w

v v v w v live tv w tv w L

Here we should note in particular that L uses the reverse order of com

e e

p osition wrt S and I

2 2

This ends Example 2

Example Detection of Signs II In our nal example we shall

consider an analysis where the type constructor should b e interpreted

in a dierent manner than in the standard semantics The analysis we

consider is once more the detection of signs analysis but this time using

a relational metho d where the interdependence b etween comp onents in

a pair is taken into account The formalisation amounts to dening a

lattice interpretation R but a complete treatment requires a fair amount of

machinery so we refer to Nielson Nielson bNielson and

only sketch the construction For types we have

the prop erty R equals is an algebraic lattice

the lattices R include i

b o ol

int

t t

continuous function space tensor pro duct and R R

Note here that the relational nature of the analysis is recorded by interpret

ing as a socalled tensor pro duct just as the indep endent attribute

nature of an analysis is recorded in Example by interpreting as

a cartesian pro duct We now need to dene and motivate the tensor

pro duct

Denition A tensor pro duct of two algebraic lattices L and L is an

algebraic lattice L L and a separately binary additive and continuous

function cross L L L L that has the following universal prop erty

Whenever f L L L is a separately binary additive and continous

function b etween algebraic lattices then there exists precisely one continu

ous and binary additive function f L L L called the extension of

f such that

f L L

cross L

L L

commutes ie such that f cross f

Prop osition A tensor pro duct always exists and it is unique to within

isomorphism

Pro of See Bandelt or Nielson for an elementary pro of It

is imp ortant for this result that some lattice structure is assumed as the

tensor pro duct do es not exist for arbitrary domains 2

Having b een assured of the existence of the tensor pro duct the next task is

to motivate why it is relevant We do so by calculating the tensor pro duct

in a sp ecial case and by showing that the tensor pro duct has the ability to

A function f L L L is separately binary additive if l f l l and

0 0 0

l f l l are binary additive for all l L and l L

express the interdependence b etween comp onents in a pair For this let S

b e a set and S the domain with elements S fg and the partial order v

given by s vs i s s or s For a domain D in which all elements

are compact as holds for S and S S the lower p owerdomain P D

may b e dened as

fY D j Y d D y Y d v y d Y g

This is an algebraic lattice and P S is isomorphic to the p owerset P S

One can verify that setting P S P S P S S and cross

l l l

Y Y Y Y satises the denition of a tensor pro duct and that the

extension of a function f is given by

f Y f f fd jd vy g fd jd vy g j y y Y g

This shows that in the particular case of a tensor pro duct of p owerdomains

the tensor pro duct has the ability to express the interdependence b etween

comp onents in a pair

Remark Another kind of motivation amounts to explaining the role of

binary additive functions In general an algebraic lattice imp oses certain

limitations up on the combinations of prop erties that can b e expressed for

example that one cannot express the prop erty l and l but not l In the

lattice R for the detection of signs one may take l l and l

int

The binary additive functions are those functions that somehow resp ect

these limitations The constraining factor in the denition of L L then

is that when considering each comp onent as is evidenced by the demands

on f one should resp ect the limitations inherent in the L This means

that eg crosst cross must also describ e cross

We have to refer to Nielson Nielson b for a further discus

sion of the role of tensor pro ducts For completeness we shall also nish by

sketching the expression part of the lattice interpretation R

is some a priori xed element of t R R

e e

eg R tt R etc

true

R v v w crossv w v w

Tuple

R v w d where d d id v w

Fst

R v w d where d d id v w

Snd

R v w w v crossw w

Curry

R v v w v w v w

Apply

R w w

R v v w v v w

R v w v Const

R v w FIXv w

Fix

v w if v w tt

v w if v w

R v v v w

if v w

v w tv w if v w

However we should p oint out that with resp ect to the treatment given in

Nielson Nielson the equations for Tuple and If are correct

but to o imprecise To improve this we would need to break an argument

into its atoms these are the elements immediately ab ove and pro cess

these separately

This ends Example 2

Summary

To summarise we have seen that for the purp oses of abstract interpreta

tion we need the ability to interpret underlined base types in dierent ways

in order to describ e the prop erties used in the dierent analyses Further

more we have seen that the wellknown distinction b etween forward and

backward analyses may b e formalized by the way is interpreted and

that the wellknown distinction b etween indep endent attribute and rela

tional metho ds may b e formalized by the way is interpreted This

gives credit to the claim that a twolevel metalanguage is a natural setting

in which to develop a theory of abstract interpretation

Correctness of Analyses

To have faith in an analysis one must b e able to prove that the prop erties

resulting from the analysis are correct eg with resp ect to the values that

the standard semantics op erates on First of all this necessitates a frame

work in which one can formulate the desired correctness relations Secondly

it is desirable that the correctness follows for all terms in the metalanguage

hence all programs considered in Figure once the correctness of the ba

sic expressions and combinators has b een established In the terminology

of Subsection this amounts to showing that lo cal correctness is a su

cient condition for global correctness Then one can consider the analyses

one by one and complete the denition of the correctness relations and use

this to prove the correctness of the basic expressions and combinators

To formulate the correctness relations we shall adopt the framework

of logical relations Plotkin essentially called relational functors in

Reynolds For this we shall assume the existence of two domain

or lattice interpretations I and J and the task is to dene an admissible

relation Rt b etween t I and t J ie

Rt t I t J ftruefalseg

in such a way that R t formalizes our intuitions ab out correctness We

shall feel free to write d Rt e as well as R t d e In the interest of

readability we prefer the notation Rt for t R but regardless of this R

should b e considered a parameter to t The denition of Rt is by

induction on the structure of t

RA d e d e

Rt t d d e e Rt d e Rt d e

Rt t f g d e Rt d e Rt f d g e

RA R

i i

t R Rt Rt Rt

t f g R Rt Rt Rt

The demands on R ie R R and R are made clear in

i i

Denition A correctness correspondence or just correspondence

R b etween domain or lattice interpretations I and J is a sp ecication of

t t

admissible relations R I J ftruefalseg

i i

op erations R and R up on admissible relations such that

t t

E E ftruefalseg D D J R R R I

t t

R R R I D D J E E ftruefalseg

are admissible relations whenever R D E ftruefalseg are admis

i i i

sible relations D and D are domains that satisfy the prop erty I

and E and E are domains that satisfy the prop erty J

Prop osition The equations for Rt dene an admissible relation

when t is a wellformed type in TMLdtdt and R is a correctness corre

sp ondence as ab ove 2

Pro of We must show by structural induction on t that Rt is an admissi

ble relation b etween t I and t J and that these domains exist This is

a straightforward structural induction and we omit the details Note that

the only reason for demanding t to b e a wellformed type in TMLdtdt

ie t is for t I and t J to b e guaranteed to exist 2

The correctness of the basic expressions and combinators amounts to

showing that the appropriate correctness relations hold b etween their in

terpretations as given by I and J We shall write RI J or I RJ for

this and the formal denition is

whenever is a basic expression or combinator and the follow ing hold

I t I t I t I

J t J t J t J

for wellformed types t t and t in TMLdtdt then we

have

R t d e Rt d e

n n n

e e

Rt I d d J e e

n n

e e

A shorter statement of the desired relation b etween I and J is that

e e

R t t t I J must hold This exploits the fact that

t t t is wellformed ie satises dt if and only if all of t t

n n

and t are and we may thus regard I as an element of t t t I

and similarly for J

It now follows that the correctness of an analysis amounts to the cor

rectness of the basic expressions and combinators

Prop osition To show the correctness Re I e J of a closed

expression e in TMLdtdt it suces to prove RI J 2

Pro of Let R b e a correctness corresp ondence b etween the domain or

lattice interpretations I and J and such that IRJ holds We then prove

by structural induction on a wellformed expression e that

if tenv e t with domtenv fx x g tenv x t

dtdt n i i

and t

dt i

then Rt d e R t d e Rt e I d d

n n n n

e J e e

The structural induction is mostly straightforward In the case where e

fix e we use the induction principle of Denition 2

Example We shall now use the ab ove development to show the

correctness of the detection of signs analysis of Example with resp ect

to the lazy standard semantics of Example The rst task is to dene

a correctness corresp ondence cor b etween the domain interpretation S and

the lattice interpretation I We have

the admissible relations cor include

if d d

if d

cor d p p w

int

if d d

otherwise

tt if d true

if d false

cor d p p w

b o ol

otherwise

so that eg cor and cor true

int b o ol

the op erations up on admissible relations are

cor R R d d p p R d p R d p

corR R f h d p R d p R f d h p

much as for R and R ab ove

and it is straightforward to verify that this do es sp ecify a correctness cor

resp ondence

The next task is to show corSI so that Prop osition can b e

invoked For the basic expressions f t we must show

e e

I cort S

i i

Little can b e said here as we have not mentioned many f t in Examples

and but we may note that

truett corBool

corInt

b oth hold For the combinators Tuple Fst and Snd related to pro duct

it is straightforward to verify the required relations as the denition of

these combinators is the same in S and I A similar remark holds for the

combinators Curry Apply Id 2 and Const related to function space For

the combinator Fix we may assume

Rws wi Rws wi Rvs ws ws vi wi wi

Rws wi

and must show

RFIXvs ws FIXvi wi

where R is cort and R is cort for types t and t that b oth satisfy the

predicate lt As in the pro of of Prop osition this follows using the

induction principle of Denition Finally for the combinator If we

may assume

tt if vs ws true

Rws wi vi wi w if vs ws false

otherwise

Rws wi Rvs ws vi wi

Rws wi

and must show

vi wi if vi wi tt

vs ws if vs ws true

vi wi if vi wi

R vs ws if vs ws false

vi wi tvi wi if vi wi

otherwise

where again R is cort and R is cort for types t and t that b oth sat

isfy the predicate lt The pro of amounts to considering each of the cases

vs ws true vs ws false and vs ws separately and will need

Fact If t satises lt then cort ws wi wi vwi implies cort ws wi

The pro of of this fact is by structural induction on t The case t A can

2 only b e conducted if we tacitly assume that A is one of A or A

i b o ol int

For reasons of space we shall not prove the correctness of the remaining

analyses dened in Subsection There are no profound diculties in

establishing the correctness of the detection of signs analysis dened in

Example For the liveness analysis of Example the notion of a

correctness corresp ondence is to o weak but a variation of the development

presented here may b e used to prove its correctness see Nielson

We should p oint out that the complications in the pro of of correctness of

the liveness analysis are due to the fact that the prop erties in the liveness

analysis do not describ e actual values but rather their subsequent use in

future computations The terms rstorder analyses eg detection of

signs and secondorder analyses eg liveness have b een used for this

distinction Nielson aNielson

Safety Comparing two analyses

A sp ecial case of correctness is when one compares two analyses and shows

that the prop erties resulting from one analysis correctly describ e the prop

erties resulting from the other We shall use the term safety for this and

we shall see in the next subsection that from the safety of one analysis with

resp ect to a correct analysis one is often able to infer the correctness of the

former analysis

As an example we might consider two analyses that op erate on the same

prop erties but have dierent ways of mo delling the basic expressions and

combinators We formalize this by considering two lattice interpretations

t t t t t t t t t t

I and J with I J I J I J and I J in short I J

i i

P P

When we want to b e more sp ecic we shall let I b e the interpretation I

for the detection of signs Example If we wish to express that

the results of J are coarser than those of I eg that e I whereas

e J we must dene a correctness corresp ondence and we shall use

the notation Given the motivation presented in Section we take

v i

R R v

b ecause the idea was to use the partial order v to express the amount of

precision among various prop erties In a more abstract way one might

say that a corresp ondence R b etween two lattice interpretations I and J

is a safety correspondence when R v R vv v and R v vv

t t

whenever I J Clearly is a safety corresp ondence

We shall claim that is the prop er relation to use for relating I and J

or IntInt the relation t clearly On an allunderlined type t eg Int

equals v which is the relation that also Section used On a type t without

any underlined symbols eg Int or IntInt it is straightforward to see

as we show b elow that t equals and this is the correct relation to

use given that we only p erform abstract interpretation on underlined base

types and constructors In particular t is more adequate than v in this

case

However there are types up on which t b ehaves in a strange way

As an example let t Bool Bool and consider a basic expression f t

such that

true if d

e e

I J d

otherwise

e e

Then I t J fails b ecause we have v but not true This means

that t is not even reexive Clearly we want t to b e a partial order

and it is also natural to assume that it implies v b ecause we have argued

for the use of v to compare prop erties of an allunderlined type We shall

achieve this by restricting the types to b e considered just as we did to

ensure that t I and t J were domains

First we need a few denitions

Denition A suborder on a domain D D v is a partial order

that satises

d d d vd

for all d and d 2

For an arbitrary safety corresp ondence R eg this motivates den

ing the predicates

ptt to ensure that Rt amounts to

itt to ensure that Rt amounts to v

This need not b e so in general see Mycroft but considerably simplies the technical development

lptt to ensure that Rt is a sub order

The predicate pt was called pure in Nielson aNielson b ecause

it will restrict the types to have no underlined symbols The predicates it

and lpt should b e thought of as slightly more discriminating analogues of

lt and dt They were called impure and level preserving resp ectively in

Nielson aNielson but with one dierence TMLdtdt allows

more wellformed types than do es Nielson a or Nielson

Denition The predicates pt for pure type it for impure type

and lpt for level preserving type are dened by

A A t t t t t t t t

i i

pt true false pt pt false pt pt false

it false true it it it it lpt it it it

lpt true true lpt lpt it it pt lpt it it

lpt it

Note that the dierence b etween lt and dt versus it and lpt is due to the

dierence b etween the denition of dtt t and lptt t

lt lpt

it pt

Fig Wellformednessconstraints

Lemma The formal denition of the predicates pt it and lpt

satisfy the intentions displayed ab ove 2

Pro of For an arbitrary safety relation R eg b etween lattice

t t

interpretations I and J with I J we prove by induction on types t that

ptt lptt Rt

itt lptt ltt Rt v

lptt dtt Rt is a sub order

The rst result is a straightforward structural induction and we shall not

give any details The second and third result must b e proved jointly as it

and lpt are mutually interdependent

The cases A and A are straightforward In the case t t t we rst

i i

assume that itt Then itt and itt so that lptt lptt ltt

ltt Rt v and Rt v It follows that lptt ltt and Rt v

Next we assume that lptt Then lptt and lptt so that dtt

dtt Rt is a sub order and Rt is a sub order It follows that dtt

t the assumptions itt and that Rt is a sub order In the case t t

and lptt are equivalent so we assume that itt holds Then itt and

itt so that ltt ltt Rt v and Rt v It follows that lptt

ltt dtt and Rt v which is a sub order The case t t t is similar

In the nal case t t t we rst assume itt Then lptt and itt

so that dtt ltt R t is a sub order and Rt v It follows that

lptt ltt and hence also dtt The relation Rt holds on f g when

Rt d e f d v g e

for all d and e If f v g and Rt d e we have d v e and hence f d v g e

so that Rt f g If R t f g we have Rt d d and hence f d v g d

for all d and this amounts to f vg Thus R t equals the sub order v

Next we assume that lptt There are two cases to consider but we have

just treated lptt itt so that we may assume ptt and lptt It

follows that lptt dtt Rt dtt and Rt is a sub order

Hence dtt and the relation Rt holds on f g whenever

d Rt f d g d

and this is clearly a sub order This ends the pro of of Lemma 2

Summary

We shall now restrict the types of the basic expressions and combinators

so that they have levelpreserving types This amounts to considering

TMLlptdt as there is no need also to require the types of variables

to b e levelpreserving For the basic expressions f t this condition sim

ply amounts to requiring t to b e levelpreserving ie satisfy the predicate

lpt For the combinators a general form of their types may b e found in

the sideconditions in Tables and These general forms are expressed in

terms of subtypes t t t t t and t and the restriction to TMLlptdt

amounts to demanding that all these subtypes are impure ie satisfy the

predicate it

The relationship b etween TMLlptdt and TMLdtdt is claried by

Fact If tenv e t then tenv e t and hence t 2

lptdt dtdt dt

Thus TMLlptdt is a prop er subset of TMLdtdt and Fact

Prop osition Prop osition Prop osition and Prop osition

apply to TMLlptdt as well

Given Lemma we then have that is a partial order in the col

lection of interpretations for TMLlptdt contrary to what is the case

when one considers the collection of all interpretations for TMLdtdt In

particular we have I I whenever I is an interpretation for TMLlptdt

and by Prop osition we then have e I t e I for all closed

expressions e of type t even if t is not levelpreserving

Induced Analyses

One shortcoming of the development of the previous subsection is that

a correct analysis may b e so imprecise as to b e practically useless An

example is an analysis where all basic expressions and combinators are

interpreted as the greatest element whenever they are used with a lattice

type The notion of correctness is top ological in nature but we would

ideally like something that was a bit more metric in nature so that we

could express how imprecise a correct analysis is Unfortunately no one

has b een able to develop an adequate metric for these purp oses

The alternative then is to compare various analyses We shall take the

p oint of view that the choice of the type part of an interpretation ie

the choice of what prop erties to use for underlined types etc represents

a delib erate choice as to the degree of precision that is desired Thus

the denition of in the previous subsection allows us to compare various

analyses provided that they use the same selection of prop erties So if we

are confronted with two analyses we may compare them and might b e able

to say that one analysis is more imprecise than ie another and so

we might prefer the other analysis This is not a complete recip e as

is only a partial order and in general not a total order Also even if we

have preferred some analysis there is no easy way to tell whether we could

develop an analysis that would b e even more precise

This motivates the development in the present subsection where we

show that under certain circumstances there is a most precise analysis over

a given selection of prop erties Following Cousot we shall term

this the induced analysis As we shall see in the next subsection there

may well b e pragmatic reasons for adopting an analysis that is less precise

than the induced analysis However even if one do es so we b elieve that

the induced analysis serves an imp ortant role as a standard against which

analyses may b e compared whenever the analysis of ones choice mo dels

This is a more restricted p oint of view than is put forward in Steen

a basic expression or combinator less precisely than the induced analysis

do es then one may judge the degree of imprecision and decide whether it

is warranted for pragmatic reasons eg termination low timecomplexity

easy to implement etc

For the technical development we shall assume that we have a domain or

lattice interpretation I and a lattice interpretation J Actually we only

need the type part of J and for the ma jority of the development we also

only need the type part of I Here one should think of I as the standard

semantics eg the lazy standard semantics of Example and one

should think of J as some analysis eg the detection of signs of Example

However the development also sp ecialises to the case where I

is some analysis much as the notion of correctness corresp ondence in the

previous subsection sp ecialised to the notion of safety corresp ondence

We then prop ose to dene a transformation function t from t I

to t J ie

t t I t J

Again one should regard as a parameter to t just as I and J are

The denition of t is by induction on the structure of t

A d d

t t d d t d t d

t t f p f t f d j t d vp g

i i

t t t t

Several p oints now need to b e addressed First we must clarify the claims

we shall make ab out the functions t and the demands that this enforces

on the parameter Secondly we must nd a way of constraining the types

t such that the functions t exist and have the desired prop erties Finally

we must show that the denition of t is as intended and in particular

that it is correct Closely related to this is the question of why the equation

for t t uses v and rather than and its asso ciated least upp er

b ound op erator

Existence

First we need some denitions and simple facts

Denition A representation transformation or just a transforma

tion f from a domain D D v to a domain E E v is a function that

is strict continuous and compact preserving see Denition 2

Fact Let b e a pair of adjoined functions b etween algebraic

lattices Then is strict and continuous but not necessarily compact pre

serving If is additionally continuous then is compact preserving 2

t t

Example Recall the denition of S and I in Examples

int int

t t

and A representation transformation from S to I may b e de

int int

ned by

if d

t t

are compact 2 and I Note that all elements in S

int int

The demands on the paramter are claried by

Denition A representation transformer from a domain or lat

tice interpretation I to a lattice interpretation J is a sp ecication of

t t

representation transformations I J

i i

op erations and such that

t t

f f I D D J E E

t t

f f I D D J E E

are representation transformations whenever f D E are rep

i i i

resentation transformations D and D are domains that satisfy the

and E and E are algebraic lattices prop erty I

Example A representation transformer b from the interpretation S

of Example to the interpretation I of Example may b e dened

t t

representation transformations b S I

i i

if d

with b d

int

if d

tt if d true

if d false

and b d

b o ol

if d

op erations b and b given by

b f f d d f d f d

f f f d j f d v p g b f f f p

Here we cannot b e more sp ecic ab out the b as Example only is

t t

sp ecic ab out I and I but clearly the b and b exhibited are

int b o ol

int

b o ol

representation transformations Assuming that f and f are representa

tion transformations the welldenedness of b f f is immediate It is

clearly strict and continuous and it preserves compact elements b ecause the

compact elements in a cartesian pro duct are the pairs of compact elements

in each comp onent Also b f f is welldened b ecause the least upp er

b ound is taken in an algebraic lattice called E in Denition That

b f f f is a continuous function and that b f f is a representa

tion transformation is slightly more involved We omit the details as they

follow rather easily from the case t t t in the pro of of the following

prop osition 2

Welldenedness of t follows from the following fact and prop osition

Fact If t is a pure type and a representation transformer then

t is the representation transformation d d and t I t J 2

Prop osition The equations for t dene a representation trans

formation when t is a levelpreserving type and is a representation trans

former 2

Pro of We show by structural induction on t that if lptt then the

ab ove equations dene a function

t t I t J

and that this function is a representation transformation

The case t A is straightforward The case t t t follows from the

induction hypothesis given that the compact elements in a cartesian pro d

uct D D are the pairs of compact elements of D and D resp ectively

0 00

ie B 0 00 B B The case t A follows from the assumptions

D D

t and t t t follow from the on In a similar way the cases t t

assumptions on and the induction hypothesis

It remains to consider the case where t t t There are two alter

natives in the denition of lptt t so we rst consider the p ossibility

where t is pure and t is levelpreserving We shall write

Yf p f t f d j t d v p g

and by Fact we get Yf p f t f d j d v p g By continuity of

f and t this set contains an upp er b ound for itself namely t f p

Hence Yf p always exists and equals t f d Next we consider the

situation where t is levelpreserving and t is impure Then t is also a

lattice type ie ltt so that t J is an algebraic lattice It is then

Yf p exists straightforward that

We have now shown that t t f p always exists when t t

is levelpreserving To show that t t f exists we must show that

F F

Yf p dep ends continuously on p ie that p Yf p is continuous

First we write

Zf p f t f b j t b vp b is compact g

This set has Yf p as an upp er b ound so by consistent completeness

F F F F

Zf p exists and we clearly have Zf p v Yf p Actually Zf p

F F

Yf p as any element d such that t d v p may b e written as d

b where each b is compact Then Zf p contains all t f b so

n n n

F F F F

Zf p w t f b t f d and hence Zf p w Yf p

n n

as d was arbitrary

F F F

To show that p Zf p is continuous let p p Clearly

n n n

F F F F F

Zf p v Zf p so it suces to show that Zf p v Zf p

n n n

If b is compact and t b v p then by the induction hypothesis

n n

t b is compact so that t b v p for some n Hence t f b

v Zf p and this shows the result

Finally we must show that t t is a representation transformation

So observe that t t follows b ecause t is strict That

t t is continuous follows b ecause t is It now remains to show

that t t preserves compact elements For a domain D E where

also D and E are domains we shall write

e if d w d

d e d

otherwise

The function is continuous if d is compact and is a compact element of

D E if additionally e is compact The general form of a compact element

in D E is

b e t tb e

n n

for n where all b and e are compact and we assume that fe jj J g

i i j

has an upp er b ound and by consistent completeness a least upp er b ound

whenever d D and J fj jb v d g We shall say that b e t tb e

j n n

is a complete listing if for all d D there exists j f n g such that b

F F

0 0

fb jj J fe jj J g and e g Clearly any compact element can

j j j

d d

b e represented by a complete listing as the least upp er b ound of a nite

set of compact elements is compact

For a complete listing b e t tb e of a compact element in

n n

t I t I we now calculate

t t b e t tb e

n n

f t b e t tb e b j t b vp b is com p

n n

pact g

as the listing is complete and t is strict and continuous

F F

p f t b e b j t b v p b is compact g

j j j

F F

p f t e j t b vp g

j j j

t b t e

j j j

By the induction hypothesis all t b and t e are compact To

j j

show that the ab ove element is compact we must show that f t e jjJ g

has an upp er b ound when d t J and J fj j t b vd g From

the denition of lptt t we know that itt or ptt If itt

then t J is an algebraic lattice so that the set clearly has an upp er

b ound If ptt then J fj jb vd g so there is jf n g such that

fe jjJ e g given the assumption ab out complete listing It follows

j j

is an upp er b ound of the set f t e jj J that t e g This

j j

ends the pro of of Prop osition 2

Remark The function t t is intended as a transformation

from the domain t t I to the domain t t J As the reader

acquainted with category theory MacLane will know any partially

ordered set may b e regarded as a simple kind of category In a similar

way a continuous or at least monotonic transformation b etween partially

ordered sets may b e regarded as a covariant functor With this in mind we

may calculate

t t f p f t f d j t d v p g

Lan t f

where we use the formula in MacLane Theorem page for

the left Kan extension of t f along t 2

Remark The rst comp onent of a pair of adjoined func

tions is often called a lower adjoint and the second comp onent an upper

adjoint In Fact we said that any lower adjoint is a representation

transformation provided we restrict our attention to adjoined pairs of con

tinuouos functions Assume now that the representation transformer

sp ecies lower adjoints and that and preserve lower adjoints

Then also t will b e a lower adjoint whenever t is levelpreserving Writ

ing t for the corresp onding upp er adjoint we then have

t t f t f t

Here we have used the fact that an upp er adjoint is uniquely determined by

its lower adjoint ie if and are adjoined pairs then

Weak invertibility

To express that t lives up to the intentions we rst need to construct a

weak notion of inverse

Denition A function f D E D is a weak inverse of a

function f D E and a relation R E E ftruefalseg if

f d v e

implies

d v f d e

f f d e R e

for all d D and e E 2

Here the intention is that f is the inverse of f or to b e more precise

that f f b ehaves as much like an adjoined pair of functions as p ossible

However D is not necessarily an algebraic lattice and so we cannot nd

a b est description of some e E Rather we must b e content with nding

a description f d e that is close to some d D of interest

We now prop ose the following denition of a weak inverse t of t

and t

A d e e

t t d d e e t d e t d e

t t f g d t f d g t d

A d e d

t d e d t

t t d e d

The b ehaviour of t is easy to characterise in a few sp ecial cases

Fact If t is pure then t d e e 2

Fact If t is impure then t d e d 2

In the general case we have

Lemma The equations for t dene a weak inverse of t and

t whenever t is levelpreserving 2

Pro of We prove the result by structural induction on t The case

t A is straightforward as A d d and A The case t t t

i i i

follows from the induction hypothesis The case t A is straightforward as

t and t t t are straightforward as we A v Also the cases t t

have t v

It remains to consider the case t t t So assume that

t t f v g ie

t d v e t f d v g e

for all d and e To show f v t t f g we consider an argument

d and must show

f d v t f d g t d

and this follows from the induction hypothesis given the assumption

To show that

t t t t f g t t g

we let

e t e

and must show

f t t t f g d j t d v e g t g e

f t t f d g t d j t d v e g t g e

We now consider the alternatives in the denition of lptt t one by

one If t is pure the inequality reduces to

t t f e g e t g e

as e e The desired result then follows from the induction hypothesis If

t is impure the inequality reduces to

t d v e t t f d g t d v g e

So assume that t d v e Using and the induction hypothesis for t

we then get

t t f d g t d v g t d

The result then follows as t d v e ve This ends the pro of of Lemma

The main p oint of the ab ove lemma is to establish the following corollary

showing that another denition of t t is p ossible However as is

evidenced by Nielson a the present route presents fewer technical

complications

Corollary t t f p f t f d j t d t p g

whenever t t is levelpreserving and denotes the least upp er b ound

op erator wrt t 2

Pro of We shall write

Xf p f t f d j t d t p g

and recall the denition of Yf p given in the pro of of Prop osition

F F

As Xf p Yf p and Yf p exists we get that Xf p exists and

F F

Xf p v Yf p Next let t d v p and note that by setting

d t d p we have d v d and t d t p Hence

t f d v t f d v Xf p

F F F F

so that Yf p v Xf p and thus Yf p Xf p

Next we shall show that Xf p is the least upp er b ound of Xf p

wrt t For this we consider the alternatives in the denition of

lptt t one by one If t is pure the set Xf p equals the singleton

f t f p g and clearly t f p is the least upp er b ound of this set

wrt the sub order t If t is impure the sub order t amounts to v

and then clearly Xf p is the least upp er b ound of Xf p wrt v 2

Optimality

It remains to demonstrate that the transformation t has the required

prop erties whenever t is a levelpreserving type We express the correct

ness using a relation Rt as dened in the previous subsection and clearly

and R have to co op erate

Denition An admissible relation R D E ftruefalseg coop

erates with a representation transformation f D E and an admissible

relation R E E ftruefalseg if

R d p R f d p

A correctness corresp ondence R cooperates with a representation trans

former if

R co op erates with and v and

i i

if R co op erates with f and v for i then

i i

R R R co op erates with f f and v and

R R R co op erates with f f and v

Example The correctness corresp ondence cor of Example

co op erates with the representation transformer b of Example 2

Lemma If R co op erates with then

Rt co op erates with t and t

for all levelpreserving types t 2

Pro of We must prove R t d p t d t p by structural induc

tion on a levelpreserving type t

The case t A is straightforward as Rt t d d and t

The case t t t follows from the induction hypothesis and the comp o

nentwise denitions of Rt t t t and t t The case t A

t and t t t is immediate from the assumptions The cases t t

are straightforward given the assumptions the induction hypothesis and

Lemma

It remains to consider the case t t t We rst assume that

R t t f g and by the induction hypothesis this amounts to

t d t e t f d t g e

for all d and e To show t t f t t g we assume that e t

e and must show

f t f d j t d t e g t g e

where we have used Corollary For this it suces to show that

t d t e t f d t g e

and this follows from as g t t g implies g e t g e Next

we assume that t t f t t g ie that

e t e f t f d j t d t e g t g e

holds for all e and e It follows that

t d t e e t e t f d t g e

and by choosing e e and using the induction hypothesis we have

Rt d e Rt f d g e

for all d and e But this amounts to R t t f g 2

Summary

t t

Let I J or I J to b e precise b e a representation transformer

and let b e a correctness corresp ondence that co op erates with An

example was given in Example and we should stress that we do not

claim that is a function as it do es not seem p ossible to dene and

from and in general

If I is an interpretation for TMLlptdt we may dene an interpreta

tion I for TMLlptdt called the induced analysis as follows

t t

I J

for each basic expression or combinator used with type t

e e

I t I

We can now b e assured that

I is correct ie I I

I is optimal ie I J I J

In b oth cases we use that I K amounts to I K given that co op

erates with and that is a partial order when we restrict our attention

to interpretations of TMLlptdt

Exp ected Forms of Analyses

Even though the induced analyses of the previous subsection are optimal

they are not necessarily in a form where they are practical or even com

putable As an example consider comp osition 2 which is interpreted as S

v v w v v w in the lazy standard semantics The induced

version is

t t t t t t S

t t t S vs j t t vs v vi g vi f t

vi vi f t t S vs vs j t t vs vvi

t t vs vvi g

vi vi f t t vs vs j t t vs vvi t t vs vvi g

and this is not as easy to implement as one could have hop ed for In the

sp ecial case where sp ecies lower adjoints as in Remark we have a

slightly nicer induced version writing for

t t t t t S t

t t t S t t vi vi t

t S t t vi t t vi vi vi t

If we assume that is as in Example ie

f f f p f f f d j f d v p g

then it follows much as in Remark that t t f t f t

t t f t f t and t t f t f t It follows that

t t t t t t S

vi vi t t vi t t vi t t

but as in general will dier from the identity also this is not

as easy to implement as one could have hop ed for

What we shall do instead is to use functional comp osition in all analy

ses This may not b e as precise as p ossible but will b e easier to implement

and as we shall show b elow will indeed b e correct and thus will make

applications easier A similar treatment can b e given for the other combi

nators and we shall consider a few examples in this subsection Additional

examples may b e found in Nielson Nielson b

Example For a lattice interpretation J of TMLlptdt we suggest

mo delling the comp osition combinator 2 as functional comp osition ie

J v v w v v w

and we shall say that this is the expected form of 2 Actually the exp ected

form dep ends on whether we consider forward or backward analyses ie

is interpreted as or as as is illustrated by Examples whether

and but in this subsection we shall only consider forward analyses

To demonstrate the correctness of this exp ected form let I b e a domain

or lattice interpretation with I v v w v v w Here I may

b e thought of as the standard semantics or some other lattice interpretation

that uses the exp ected form for 2 We shall then show

t t t t t t I

t t t t t t

where I J is a representation transformer In analogy with the

is interpreted as in b oth I and J it is natural to assumption that

assume that is as in Example ie

f f f p f f f d j f d v p g

t t t t t is levelpreserving it follows that t t and t As t

are impure so that t v t v and t v The desired result

then amounts to assuming that

t wi v wj t vi wi v vj wj

t wi v wj and showing that

t vi vi wi v vj vj wj

and this is straightforward 2

Example For a lattice interpretation J of TMLlptdt we sug

gest that the expected form of Fix amounts to a nite say number of

iterations starting with the most imprecise prop erty ie

J v w v w

Fix

t t t t then t will b e an Recall that if Fix is used with type t

impure type so that t J is an algebraic lattice and thus t J

do es exist This choice of exp ected form diers from the choice made in

the standard semantics of Example or the detection of signs analysis

of Example and is motivated by the desire to ensure that an analysis

by abstract interpretation terminates However it means that we have to

give sep erate pro ofs for the correctness of this exp ected form with resp ect

to the standard semantics and for the correctness of continuing to use this

exp ected form

v w So let I b e a domain or lattice interpretation with I

Fix

FIXv w Let I J b e a representation transformer with as

in the previous example We must then show

t t t t t v w FIXv w

t t t t t

v w v w

where again t and t will b e impure so that t and t b oth equal v

This amounts to assuming

t wi v wj t wi v wj

t vi wi wi v vj wj wj

t wi v wj

and showing

t FIXvi wi v vj wj

for m We shall prove this by induction on m and the base case m is

immediate The induction step then follows from the induction hypothesis

and the fact that vi wi FIXvi wi equals FIXvi wi

Next let K b e a lattice interpretation that uses the exp ected form for

Fix and let J K b e a representation transformer with as ab ove

We must then show

t t t t t v w v w

t t t t t

v w v w

This amounts to assuming

t wj v wk t wj v wk

t vj wj wj v vk wk wk

t wj v wk

and showing

m m

t vj wj v vk wk

for m This is once again by induction on m 2

Example In TMLlptdt the meaning of fix remains constant

ie fix is not interpreted by an interpretation but always amounts to the

least xed p oint FIX Consider now a version of TML where the meaning

of fix is not constant and thus must b e given by an interpretation When

fix is used with type t t t this means that we will have to restrict

t t t to b e levelpreserving It is straightforward to verify that this

means that t must either b e pure or impure When t is pure it is natural

to let an interpreation J use the exp ected form

J v FIXv

whereas when t is impure it is natural to let J use the exp ected form

J v v

The correctness of this is shown in Nielson 2

Example For a lattice interpretation J of TMLlptdt we suggest

that the expected form of If amounts to simply combining the eects of

the true and else branches ie

v v v w v w t v w J

This is slightly coarser than what we did in Examples and in

that v is not taken into account but this is in agreement with common

practice in data ow analysis Aho Sethi and Ullman

To show the correctness of this let I b e a domain interpretation along

the lines of the lazy standard semantics ie

I A

b o ol

v w if v w true

v w if v w false I v v v w

if v w

as well as I as is the case for all interpretations considered in this

subsection Also let I J b e a representation transformer with

as in the previous example We must then show

t Boolt t t t t t I

t Boolt t t t t t

and this follows much as in Example so we disp ense with the details

Next let K b e a lattice interpretation that also uses the exp ected form

for If Then we must show

Boolt t t t t t v v v w v w t

t v w

Boolt t t t t t t

v v v w v w t v w

and for this we shall need to assume that sp ecies lower adjoints as in

Remark Then t is binary additive and it is then straightforward

to show the desired result 2

Example For a lattice interpretation J of TMLlptdt the ex

is p ected forms of the combinators Tuple Fst and Snd dep end on how

interpreted When is the tensor pro duct one may suggest exp ected

forms based on the denitions given Example but as we have not

covered the tensor pro duct in any detail we shall not lo ok further into this

here We thus concentrate on the case where is interpreted as cartesian

pro duct and here we suggest

v v w v w v w J

Tuple

J v w d where d d v w

Fst

J v w d where d d v w

Snd

For correctness we shall assume that I is a domain or lattice interpretation

that uses analogous denitions either b ecause it is the standard seman

tics or b ecause it is some lattice interpretation that also uses the exp ected

forms Furthermore we shall assume that I J is a representa

tion transformer with as in the previous examples and with as in

Example ie

f f d d f d f d

The correctness is then expressed and proved using the pattern of the

previous examples and we omit the details 2

Example For a lattice interpretation J of TMLlptdt we shall

suggest the following exp ected forms for Curry and Apply

J v w w v w w

Curry

J v v w v w v w

Apply

Here we assume that is interpreted as and that is interpreted

as cartesian pro duct To show correctness we consider a domain or

lattice interpretation I that uses analogous denitions Concerning the

representation transformer I J we shall assume that and are

as in the previous example The correctness is then expressed and proved

using the pattern of the previous examples and we omit the details 2

These examples have illustrated that the practical application of a

framework for abstract interpretation may b e facilitated by studying cer

tain exp ected forms for the combinators In this way one obtains correct

and implementable analyses than can b e arranged always to terminate

although at the exp ense of obtaining more imprecise results than those

guaranteed by the induced analyses

Extensions and Limitations

In this section we have aimed at demonstrating the main approach the

main denitions the main theorems and the main pro of techniques em

ployed in a framework for abstract interpretation To do so we have used

a rather small metalanguage based on the typed calculus and in this

subsection we conclude by discussing p ossible extensions and current limi

tations

The discussion will center around Nielson The metalanguage

TML considered there has sum types and recursive types in addition

to the base types pro duct types and function types However the well

formedness conditions imp osed on the twolevel types in Nielson

are somewhat more demanding than those imp osed here Let mct de

note the condition that every underlined type constructor in t has argu

ments that are allunderlined and that any underlined construct o ccurs in

t Then the fragment of TML Nielson a subtype of the form t

that only has base types pro duct types and function types corresp onds

to TMLlptmcdtmc rather than the TMLlptdt studied here As

an example this means that a type like A A A is wellformed in

int b o ol int

TMLlptdt but not in TMLlptmcdtmc

Concerning sum types one can p erform a development close to that p er

formed for pro duct types In a sense an analogue to the relational metho d

as cartesian pro duct whereas an analogue of is obtained by mo delling

the indep endent attribute metho d is obtained by interpreting as a kind

of sum adapted to pro duce an algebraic lattice For recursive types there

are various ways of solving the recursive type equations and one of these

One may verify that dtmc is equivalent to mc

amounts to truncating a recursive structure at a xed depth Turning to

expressions an analysis like detection of signs is formulated and proved cor

rect for the whole metalanguage and also strictness analysis can b e handled

Nielson a It is also shown that induced analyses exist in general and

this is used to give a characterisation of the role of the collecting semantics

accumulating standard semantics in the terminology of the Glossary For

a secondorder and backward analysis like live variables analysis a formu

lation much like the one given in Example is proved correct As we

already said in Subsection this may b e extended with several versions

of underlined type constructors without a profound change in the theory

Even for TMLlptmcdtmc the development in Nielson go es

a bit further than overviewed here The presence of the constraint mc

makes it feasible to study interpreations socalled frontier interpretations

where the interpretation of underlined types is not sp ecied in a structural

way In a sense one considers a version of the metalanguage without

and but with a greatly expanded index set I over which the index i

ranges This makes is feasible to give a comp onentwise denition in A

of the composition of frontier representation transformers This is

of particular interest when only sp ecies representation transformations

that are lower adjoints Writing one can then show that t

t t for levelpreserving types t and this may b e regarded as the

basis for developing abstract interpretations in a stepwise manner Also

the transformation from to b ecomes functional and one can show that

From a practical p oint of view a main limitation is that we have not

incorp orated stickiness ie we transform a prop erty through a program

but we do not record the prop erties that reach a given program p oint

Such a development would b e very desirable when one wants to exploit the

results of an analysis to enable program transformations that are not valid

ie meaning preserving in general This is illustrated in Nielson a

that uses the results of analyses as sp ecied in Nielson It applies

equally well to the ow analysis techniques used in practical compilers

However it is not a minor task to incorp orate this in the present frame

work One reason is that the way it is done dep ends heavily on details of

the evaluation order used in an implementation and these details are not

sp ecied by the standard semantics

4 Other Analyses Language Prop erties and

Language Types

In the rst sections we describ ed the ro ots of abstract interpretation and

gave a motivated development of the Cousot approach We then showed

how their metho ds can b e systematically extended to languages dened

by denotational semantics using logical relations to lift approximations

from base domains to pro duct and function space domains This extension

allows analysis of a wide range of programming languages by abstractly

interpreting the domains and op erations app earing in the denotational se

mantics that dene them

In section the denotational approach was generalized even more we

rigorously developed an abstract interpretation framework based on rein

terpreting some of the primitive op erations app earing in the metalanguage

used to write denotational language denitions This yields a framework

that is completely indep endent of any particular programming language

We now describ e some other analysis metho ds language prop erties and

language types As to metho ds we will see that it is sometimes necessary to

instrument a semantics to make it b etter suited for analysis ie to mo dify

it so it b etter mo dels op erational asp ects relevant to program optimization

A related approach not yet as fully developed is to derive analyses from

op erational semantics rather than denotational ones

Abstract interpretation has its ro ots in applications to optimizing com

pilers for imp erative languages so it is not surprising that the early pap ers

by Cousot on semantically based metho ds were ab out such programs A

later wave of activity concerned ecient implementation of highlevel func

tional languages Recent years have witnessed a rapid growth of research

in abstractly interpreting logic programming languages Prolog in particu

lar Analysis of b oth functional and logic programming languages will b e

discussed briey

In contrast to the previous section we only give an overview of basic

ideas motivations and a few examples together with some references to

the relevant literature large a bibliography from may b e found in

Nielson c

Approaches to Abstract Interpretation

We now briey assess what we did in earlier sections and give some al

ternative approaches to program analysis by abstract interpretation Each

has some advantages and disadvantages

The Cousot Approach

This was the rst truly semanticsbased framework for abstract interpre

tation and had many ideas that inuenced development of the eld for

example abstraction and concretization functions natural mathematical

conditions on them and the collecting or static semantics The collect

ing semantics is sticky meaning that it works by binding information

describing the programs stores to program p oints This provided a nat

ural link to the earlier and more informal ow analysis metho ds used in

optimizing compilers based on constructing and then solving a set of data

ow equations from the program

The abstraction and concretization functions are a pair of functions

C Abs and Abs C b etween concrete values C and abstract values

Abs Both are required to b e complete lattices and must satisfy some

fairly stringent conditions must b e a Galois insertion from Abs into C

An imp ortant new concept was that of a program interpretation ab

stracting the programs stores A partial order on interpretations was de

ned making it p ossible to prove rigorously that one interpretation is a

correct abstraction of another This allows program analysis metho ds to

b e proven safe ie to b e correct approximations to actual program b e

haviour

A limitation is that the Cousot approach only applies to ow chart

programs and has b een dicult to extend to for example programs with

pro cedures examples include Jones and Sharir Another

limitation is in its data as originally formulated only stores were ab

stracted and no systematic way to extend the framework to more general

data types was given

Logical Relations

This solved the problem of extending the Cousots metho ds to more general

data using logical relations as dened in Reynolds Plotkin

In the discussion ab ove on lo cal conditions for safety the logical relation

was on values Safe approximation of comp osite domains is dened

by induction on the form of the domain denitions leading to a natural

sucient condition for safety of an abstract interpretation that generalizes

the Cousots In this approach concretization is not mentioned at all nor

do es it seem to b e necessary

Example works using this approach are Mycroft Jones

and Nielson

A Metho d Based on a Metalanguage

The previous metho d applies only to one language denition at a time

Yet more generality can b e obtained by abstractly interpreting the meta

language used to write the denotational semantics typically the lambda

calculus This is done in Nielson and subsequent pap ers and is

summarized in Section A twolevel lambda calculus is used to separate

those parts of a denotational semantics that are to b e approximated from

those to remain uninterpreted

The approach seems to b e inherently nonsticky as it concerns ap

proximating intermediate values and lacks a means for talking ab out pro gram p oints

Op erationally Based Metho ds

A ma jor purp ose of abstract interpretation is its application to ecient pro

gram implementation eg in highly optimizing compilers For application

purp oses it thus seems more relevant to use analyses based on a semantics

of the language b eing analyzed rather than on the metalanguage in which

the semantics is written

But there is a y in the ointment many implementation dep endent

prop erties relevant to program optimization are simply not present in a

standard denotational semantics This is not at all surprising if we recall

that the original goal of denotational semantics Stoy was to assign

the right inputoutput b ehaviour to the programs without giving implemen

tation details Examples include

the dep endence analyses mentioned in the rst section for neededness

analysis or partial evaluation

sequential information ab out values eg that a variable grows mono

tonically

order of parameter evaluation

time or space usage

available expressions

Interesting prop erties that can b e extracted from a denotational seman

tics include strictness analysis and a rather weak form of termination

Burn Abramsky In the approach of Abramsky this

is done by fo cusing on logical relations and then developing b est inter

pretations with resp ect to these the notion of safety leads to a strictness

analysis whereas the dual notion of liveness leads to a termination of anal

ysis This is all related to adjunctions b etween categories and the use of

the formula for Kan extensions However while a comp ositional strictness

analysis is indeed useful a comp ositional termination analysis is not b e

cause it has to give up for recursion amending this would entail nding

a wellfounded order with resp ect to which the recursive calls do decrease

and this is b eyond the development of Abramsky

Op erational Semantics It would seem obvious to try to extract these

prop erties from an operational semantics Plotkin Kahn How

ever this is easier said than done for several reasons One is that there is

no clearly agreed standard for what is allowed to app ear in an op erational

semantics other than that it is usually given by a set of conditional logical

inference rules for instance singlevaluedness of an expression evaluation

function must b e proven explicitly Another is that op erational semantics

do not by their nature give all desirable information eg the resource usage

or dep endency information mentioned ab ove

It must b e said though that op erational semantics has a large p otential

as a basis for abstract interpretation since it more faithfully mo dels actual

computational pro cesses as witnessed by the many unresolved problems

concerning full abstraction in denotational semantics Further op erational

semantics is typically restricted to rstorder values and so avoids some

times painful questions involving Scott domains For instance there are

still several op en questions ab out how to approximate p ower domains for

abstract interpretation of nondeterministic programs

Instrumented Semantics

Much early work in static program analysis was based on approximating

informal mo dels of program execution and was complex and sometimes

wrong On the other hand the validity of certain program optimizations

and compilation techniques may dep end strongly on execution mo dels eg

some of the prop erties just mentioned

A denotationally based metho d to obtain information ab out program

execution is to instrument the standard semantics extending it to include

additional detail p erhaps op erational The approach can b e describ ed by

the following diagram where the left arrow follows since the instrumented

semantics extends the standard one and the right one comes from the re

quirement of safe approximation On the other hand all three are obtained

by various interpretations of the core semantics so analysis is still done by

abstractly executing source programs

instrumented

semantics

v w

standard abstract

semantics semantics

The collecting semantics illustrates one way to instrument by collecting

the state sets at program p oints This is practically signicant since many

interesting program prop erties are functions of the sets of states that o ccur

at the programs control p oints

More general instrumentation could record a trace or history of the

entire computation prop erties of the stores or environments forward or

backward value dep endencies sequences of references to variables and much

more This could b e used to collect forward dep endence information mono

tone value growth or p erform step counting The sketched approach puts

the program ow analyses used in practice on rmer semantical founda

tions

The absence of an arrow b etween the standard and the abstract seman

tics is disturbing at rst since correctness is no longer simply a matter

of relating abstract values to the concrete ones o ccurring in computations

However this is inevitable once the need to incorp orate some level of op

erational detail has b een admitted One must b e sure that the extension

of the standard semantics prop erly mo dels the implementation techniques

on which optimization and compilation can b e based and this cannot b e

justied on semantical grounds alone

On the other hand an approximate semantics can b e proven correct

with resp ect to the instrumented version by exactly the metho ds of the

previous sections

Examples of Instrumented Semantics

The p ossible range of instrumented semantics is enormous and many vari

ants have already b een invented for various optimization purp oses Here

we give just a sampling

Program Run Times

A program time analysis can b e done by rst extending the standard se

mantics to record running times and then to approximate the resulting

instrumented semantics Here we use the denotational framework of sec

tion The earlier semantics is extended by accumulating together with

the store the time since execution b egan

The time interpretation This is I Val Sto assign seq cond

time

while dened by

Domains

Val Number the at cp o

Sto Var Val Number

Function denitions

assign x m st sx m s t

e e

seq m m m m

c c c c

cond m m m st

e c c

m s m s t m s t

e c c

while m m x st

e c

m s m st st

e c

This was used as the basis for the approximate time analyses rep orted in Rosendahl

Execution Traces

A closely related idea is to instrument a semantics by including full com

putation histories This gives in a sense all the raw material that can

b e used to extract historydep endent information and thus a basis for

a very wide range of program analyses This approach was used in P

Cousots thesis work and has since b een seen in DonzeauGouge

and Nielson

In a functional setting Sestoft has traced sequences of variable def

initions and uses ie bindings and references in order to see which

variables can b e globalized ie allowed to reside in global memory in

stead of the computation stack Sestoft A similar idea is used in

Bloss and Hudak for ecient implementation of lazy functional lan

guages they trace references to functions formal parameters to see which

ones can b e computed using call by value ie prior to function entry

Store Prop erties

The sequencing information just mentioned is quite clearly not present

in a standard semantics Another information category very useful for

optimization has to do with store prop erties A standard semantics for a

language with stuctured values often treats them simply as trees ie terms

but in reality memory sharing is used so new terms are constructed using

p ointers to old ones rather than a very exp ensive recopying For ecient

implementation compiletime analyses must take sharing into account for

example to minimize costs of memory allo cation and gargage collection

Careful pro ofs of equivalence b etween the two formulations for a term

rewriting language can b e seen in Barendregt et al

In Jones a a simple imp erative language with Lisplike primitives

is discussed The semantics is describ ed op erationally using nite graphs

for the store The following diagram describ es a store with X a b

c Y b c and Z b c c where Y is shared by X and Z

X Z

This instrumented semantics is mo delled in Jones a by approximat

ing such stores by klimited graphs where k is a distance parameter The

idea is that the graph structure is mo delled exactly for no des of distance

k or less from a variable All graph no des farther than k from a variable

name are mo delled by no des of the forms c s or indicating that

the omitted p ortion of the graph is resp ectively p ossibly cyclic acyclic

but with p ossibly shared no des or acyclic and without sharing

Stransky has done further work in this direction Stransky

Analysis of Functional Languages

Motivations for analysing functional languages are partly to counter the

time costs involved in implementing p owerful programming features such as

higher order functions pattern matching and lazy evaluation and partly to

reduce their sometimes large and not easily predictable space requirements

The problem of strictness analysis briey mentioned in Section has

reeived much attention key pap ers b eing Burn Wadler and

Hughes Polymorphism which allows a functions type to b e used

in several dierent instantiations creates new problems in abstract inter

pretation Imp ortant pap ers include Abramsky and Hughes

Approximating functions by functions on abstract values A nat

ural and common approach is to let an abstraction of a function b e a

function on abstract values One example is Section s general framework

using logical relations and based on the lambda calculus as a metalanguage

The rst higherorder strictness analysis was the elegant metho d of

Burn In this work the domains of a function b eing analyzed for

strictness are mo deled by abstract domains of exactly the same structure

but with f g in place of the basis domains Strictness information

is in essence obtained by computing with these abstracted higherorder

functions However a xp oint iteration is needed since the abstractions

sacrce the programs determinacy cf the end of Section

While suitable for many problems concerning functional and other lan

guages abstracting functions by functions is not always enough for the

program analyses used in practice An example where this simply do es not

give enough information is constant propagation in a functional language

As b efore the goal is to determine whether or not one of the arguments of

a program function is always called with the same value and if so to nd

that value at analysis time

For this it is not enough to know that if a function f is called with

argument x it will return value x It is also essential to know which

values f can be called with during program execution since a compiler

can exploit knowledge ab out constant arguments to generate b etter target

co de

For another example the higherorder strictness analysis in Burn

has turned out to b e unacceptably slow in practice even for rather small

programs The reason is that the abstract interpretation involves comput

ing xp oints of higherorder functions Abstract domains for the function

b eing analyzed have the same structure as the originals but with f g

for all basis domains This implies that analysis of even a small function

such as fold right can lead to a combinatorial explosion in the size of

the abstract domains involved requiring subtle techniques to b e able to

compute the desired strictness information and avoid having to traverse

the entire abstract value space

First Order Minimal Function Graphs

The minimal function graph of a program function was dened in Jones

to b e the smallest set of pairs argument function value sucicient to

carry out program execution on given input data For example consider

the function dened by the following program

f X if X then

else if X ev en then f X

else f X

Its minimal function graph for program input X is

f g

The minimal function graph semantics maps a programmerdened func

tion to something more detailed than the argumenttoresult function tra

ditionally used in a standard semantics and is a form of instrumented

semantics In Jones it is shown how the constant propagation

analysis may b e done by approximating this semantics and the idea of

proving correctness by semihomomorphic mappings b etween various inter

pretations of a denotational semantics is explained

Earlier metho ds to approximate programs containing function calls were

describ ed in Cousot c Sharir and Jones

Higher Order Functions

Higher order functions as well as rst order ones may b e approximated

using logical relations Examples include the analyses of Section and

Burn but such metho ds cannot closely describ e the way functions

are used during execution

For example if the value of exp in an application expexp is mo delled

by a function from abstract values to abstract values this do es not contain

enough information to see just which programmerdened functions may

b e called at run time and such information may b e essential for ecient compilation

This leads to more op erational approaches to abstractly interpreting

programs containing higher order functions An early step in this direction

was the rather complex Jones b and more recent and applications

motivated pap ers include Sestoft Shivers

Closure analysis This metho d from can b e describ ed as an op erationally

oriented semanticsbased metho d Programs are assumed given as systems

of equations in the now p opular named combinator style with all functions

curried and function denitions of the form

f X X expression containing X X and function names

n n

In this language a value which is a function is obtained by an incomplete

function application Op erationally such a value is a socalled closure of

form f v v where v v are the values of f s rst i arguments

i i

The pap er Sestoft contains algorithms for a closure analysis

yielding for example information that in a particular application expexp

the op erator exp can evaluate to an f closure with one evaluated argument

or to a g closure with two evaluated arguments

Instead of approximating a function by a function each programmer

dened function f is describ ed by a global function description table con

taining descriptions of all arguments with which it can b e called just as in

the minimal function graphs discussed earlier

An approximation to a value which is a function is thus represented by

an approximate closure of the form f a a where the a approximate

i i

the v

But then how is v itself approximated There seems to b e a risk of

innite regression Supp osing v can b e a closure g w w we can

i j

simply approximate it by the pair g j The reason this works is that

when needed a more precise description of g s arguments can b e obtained

from g s entry in the global function description table

Analysis starts with a single global function description table entry de

scribing the programs initial call and abstract interpretation continues

until this table stabilizes ie reaches its xp oint Termination is guaran

teed b ecause there are only nitely many p ossible closure descriptions

Closure analysis describ es functions globally rather than lo cally and

so app ears to b e less precise in principle than approximating functional

values by mathematical functions This is substantiated by complexity

results that show the analyses of Burn to have a worstcase lower

b ound of exp onential time whereas closure analysis works in time b ounded

by a lowdegree p olynomial

The techniques developed in Sestoft Shivers have shown

themselves useful for a variety of practical ow analysis problems involv ing higher order functions for example in ecient implementation of lazy

evaluation Sestoft and Argo and partial evaluation Bondorf

Similar ideas are used in Jones b to provide an op erationally oriented

denotational minimal function graph semantics for higher order programs

One application is to prove the safety of Sestofts algorithms

Backwards Analysis and Contexts

As observed in Section backwards analysis of an imp erative program

amounts to nding the weakest precondition on stores sucient to guar

antee that a certain p ostcondition will hold after command execution For

functional programs an analogous concept to p ostcondition is that of the

context of a value which describ es the way the value will b e used in the

remainder of the computation

Clearly the usage of the result of a function will aect the usage of

its arguments to the function will b e used For an extreme example if

the result of function call f e e is not needed then the arguments

e e will not b e needed either

The example is not absurd consider the following abstract program

using pattern matching and a list notation where nil is the empty list

is the concatenation op erator a a abbreviates a a nil

n n

length

lengthZZs lengthZs

fX if testX then else gX fX

When evaluating a call lengthf exp the values of g are clearly ir

relevant to the length of f exp and g need not b e called at all This

can b e used to optimize co de in a lazy language For another example if

f n x x and a call f e e app ears in a context where its value is an

even number one can conclude that e is p ositive and e is even

Context information thus propagates backwards through the program

from the context of an enclosing expression to the contexts of its sub ex

pressions and from the context of a called function to the contexts of its

parameters in a call

Some uses of backwards functional analyses

Strictness analysis identies arguments in a lazy or call by name lan

guage for which the more ecient call by value evaluation may b e used

without changing semantics Both forwards and backwards algorithms ex

ist but backwards metho ds seem to b e faster Early work on backwards

metho ds includes Hughes and Hughes later simplied for

the case of domain pro jections in Wadler and Hughes

Storage reclamation Metho ds are develped in Jensen to recog

nize when a memory cell has b een used for the last time so it may safely

b e freed for later use An application is substantially to reduce the number

of garbage collections

Partial evaluation automatially transforms general programs into ver

sions sp ecialized to partially known inputs A sp ecialized program is usu

ally faster that the source it was derived from but often contains redundant

data structures or unused values sp ecializations of generalpurp ose data in

the source Backwards analysis is used for arity raising which improves

programs by removing unnecessary data and computation Romanenko

Information ow While the analogy to the earlier backwards analyses

is clear the technical details are dierent and rather more complicated A

b ottleneck is that while functions may have many arguments they pro duce

only one result Thus one cannot simply invert the next relation to

describ e program running in the reverse direction

Given a function denition

f X X expression containing X X and function names

n n

one can asso ciate a context transformer f C ontext C ontext with each

argument X The idea is that if f is called with a result context C then

f C will b e the context for f s ith argument

In eect this is an indep endent attribute formulation of f s input

output relation necessarily losing intervariable interactions Unfortunately

it means that backwards analyses cannot in principle exactly describ e the

programs computations as is the case with forward analyses

What is a context semantically The intuition the rest of the com

putation can b e expressed by the current continuation since since a con

tinuation is a function taking the current expression value into the pro

grams computational future This approach was taken in Hughes

but is technically rather complex since it entails that a context is an ab

straction of a set of continuationstricky to handle since continuations are

higherorder functions

In the later Wadler and Hughes the concept of context

is restricted to prop erties given by domain projections typically sp ecing

which parts of a value might later b e used A language for nite descriptions

of pro jections and their manipulation was developed ow equations were

derived from the program to b e analyzed and their least xp oint solution

gives the desired information

Some example contexts that have shown themselves useful for the e

cient implementation of lazy functional programs include

ABSENT the value is not needed for further computation

ID the entire value may b e needed

HEAD the value is a pair and its rst comp onent may b e needed

but the second will not b e

SPINE the value is a list and all its toplevel cells may b e needed

the length function demads a SPINE context of its argument

Complex Abstract Values

Finding nite approximate descriptions of innite sets of values is an es

sential task in abstract interpretation We mentioned in Section that

abstracting stores or environments amounts to nding nite descriptions of

relations among the various program variables This was straightforward in

the evenodd example given earlier eg o dd represented fg etc

and op erations on numbers were easily mo deled on this nite domain of

abstract values Analysis problems requiring more sophisticated metho ds

include

functions as values esp ecially higher order functions

mutual relationships among variable values

describing structured data eg nested lists and trees

Functions as values

Some approaches were describ ed ab ove approximation by functions on

abstract values and closure analysis and several more have b een studied

Relations on ntuples of numbers

In this sp ecial case there is a welldeveloped theory linear algebra in

particular systems of linear inequalities Cousot describ es a way

to discover linear relationships among the variables in a Pascallike pro

gram Such relations may b e systematically discovered and exploited for

for example ecient compilation of array op erations Related work in

volving the inference of systems of mo dulus equations has b een applied

to pip elining and other techniques for utilizing parallelism Granger

Mercouro This work has b een further developed into a system for

automatic analysis of Pascal programs

Grammars

The analysis of programs manipulating structured data eg lists as in Lisp

ML etc requires metho ds to approximate the innite sets of values that

variables may take on during program runs There is also a welldeveloped

theory and practice for approximating such innite sets involving regular

grammars or their equivalent regular expressions

An Example Grammar Construction Consider the following abstract

program using the list notation of Section

fN rstN sequencenil

rstnil Xs nil

rstM Ms X Xs Ms rstMs Xs

sequenceY Y sequence Y

We assume an initial call of form fN where the input variable N ranges

over all lists of s and further that the language is lazy Conceptually

call sequencenil generates the innite list The

p ossible results of the program are all of its nite prexes

Output f g

The metho d of Jones a constructs form this program a tree grammar

G containing after some simplication the following pro ductions They

describ e the terms which are the programs p ossible output values

N nil j N Program input f argument

f rst

r esult r esult

rst nil j Ms rst

r esult r esult

Ms N

X Y

Xs sequence

r esult

Y nil j Y

sequence Y sequence

r esult r esult

With f as initial nonterminal G generates all p ossible lists each of

r esult

whose elements is a list of s More generally by this approach an abstract

value in Abs is a tree grammar and the concretization function maps the

tree grammar and one of its nonterinal symbols A into the set of terms

that A generates

Safety The natural denition of safe program approximation is that the

grammar generates all p ossible runtime values computed by the program

and usually a prop er sup erset By the grammar ab ove nonterminal f

r esult

clearly generates all terms in Output and so is a safe approximation to

the actual program b ehaviour

It is not a p erfect description since f generates all p ossible lists of

r esult lists of s regardless of order

Nonexistence of an abstraction function For this analysis an ab

stract value is a large ob ject a grammar G and the concretization function

maps Gs nonterminals into term sets which are sup ersets of the value

sets that variables range over in actual computations It is natural to ask

what is the corresp onding abstraction function

In this case there is no unique natural for a mathematical reason

The p oint is that regular tree grammars as illustrated ab ove generate only

regular sets of terms a class of sets with wellknown prop erties On the

other hand the program ab ove and many more generate nonregular sets

of values Output is easily proven nonregular It is well known that for

any nonregular set S of terms there is no b est regular sup erset of S In

general increasing the number of nonterminals will give b etter and b etter

ts ie smaller sup ersets but a p erfect t to a nonregular set is by

denition imp ossible

References The pap ers Reynolds and Jones aJones a

contain metho ds to construct given a program involving structured val

ues a regular tree grammar describing it Essentially similar techniques

although formalized in terms of tables rather than grammars have b een

applied to the lambda calculus Jones b interprocedural imp erative

program analysis Jones a language suitable as an intermediate lan

guage for ML Deutsch and the Prolog Language Heintze

Abstract Interpretation of Logic Programs

Given the framework already developed we concentrate on the factors that

make logic program analysis dierent from those seen earlier Further we

concentrate on Prolog in which a program is a sequence of clauses each

of the form head b o dy

0 0 00 00

ht t b t t b t t

m k

n p

where h b b are predicate names and the t are terms built up from

k i

constructors and variables Variable names traditionally start with capital

letters eg X Constructors are as in functional languages eg and

but runtime values are rather dierent as they may contain free or

uninstantiated variables Each b t is called a goal

An example program for app ending two lists

app endXs Xs

app endXXsYsXZs app endXsYsZs

Semantics of Prolog Programs

Prolog can b e viewed either as a pure logical theory so a program is a set

of Horn clauses with certain logical consequences or as an op erationally

oriented programming language When used op erationally programs may

contain features with no interpretation in mathematical logic to improve

eciency or facilitate communication with other programs Examples in

putoutput op erations tests as to whether a variable is currently instanti

ated and op erations to add new clauses to the program currently running

or to retract existing clauses

A ground term is one containing no variables The bottomup or log

ical interpretation of app end is the smallest ary relation on ground

terms which satises the implications in the program It thus contains

app end and app end among others

Topdown interpretation is used for Prolog program execution Com

putation b egins with a query which is a b o dy as describ ed ab ove The

result is a nite or innite sequence of answer substitutions each of which

binds some of the free variables in the query In a topdown semantics

the basic ob ject of discourse is not a store or an environment but a sub

stitution that maps variables to new terms which may in turn contain

uninstantiated variables ie b e nonground

The result of running the program ab ove with an initial query ap

p endWs would b e the oneelement answer sequence

while the result of running with query app endUsVs would b e the

sequence of three answers

Us Vs

and the result of running with query app endVsWs would b e an

answer containing an uninstantiated variable

Vs Ts Ws Ts

Sp ecial Features of Logic Programs

The p ossibility of more than one answer substitution is due to the back

tracking strategy used by Prolog to nd all p ossible ways to satisfy the

query These are found by satisfying the individual goals q left to

rightunifying each with all p ossible clause left sides in the order they ap

p ear in the program Once unication with a clause head has b een done

its b o dy is then satised in turn trivially true if it is empty This pro

cedure is often describ ed as a depthrst lefttoright search search of the

SLDtree

Bindings made when satisfying q are used when satisfying q for j i

i j

so in a certain sense the current substitution b ehaves like an up datable

store A dierence is that it is writeonce in that old bindings may not

b e changed However changes may b e made by instantiating free variables

Types of Analyses

All this makes program analysis rather complex and the sp ectrum seen

in the literature is quite broad Many but not all analyses concentrate on

pure Prolog subsets without nonlogical features Some are b ottomup

and others are topdown

Needs for Analysis

A rst motivation for analysis is to optimize memory use Prolog is noto

rious for using large amounts of memory One reason is that due to back

tracking the information asso ciated with a predicate call cannot b e p opp ed

when the call has b een satised but must b e preserved for p ossible future

use in case backtracking should cause control the call to b e p erformed

again Considerable research on intelligent backtracking is b eing done

to alleviate this problem and involves various abstract interpretations of

p ossible program b ehaviour

Another motivation is sp eed Unication of two terms containing vari

ables is a fundamental op eration and one that is rather slower than assign

ment in imp erative languages or matching as used in functional languages

One reason is that unication involves twoway bindings variables in either

term may b e b ound to parts of the other term or transitively even to parts

of the same term Another is the need for the occur check to check that a

variable never gets b ound to a term containing itself although sometimes

convenient for computing programs containing such circular terms have

no natural logical interpretation

Examples of Analysis

Analyses to sp eed up unication The following are useful to recognize

when sp ecial forms of unication can b e used such as assignment or oneway

matching

Mode analysis determines for a particular goal those of its free variables

which will b e unbound whenever a goal is called and which will b e b ound

as a result of the call Mellish

Groundness anaysis discovers which variables will always b e b ound to

a ground variablefree term when a given program p oint is reached For example app end when called with a query with ground Xs and Ys yield

a substitution with ground Zs when called with bround Zs all answers will

have ground Xs and Ys and when called with only Xs ground the answers

will never b e ground

Groundness analysis is more subtle than it app ears due to p ossible

aliasing and shared substructures since binding one variable to a ground

term may aect variables app earing in another part of the program b e

ing analyzed Simple groundness and sharing analyses are describ ed in

Jones b A more elegant metho d using prop ositional formulas built

from and was introduced in Marriott and compared with other

metho ds in Cortesi

Safely avoiding the o ccur check

Circularity analysis is a related and more subtle problem the goal b eing

to discover which unications may safely b e p erformed without doing the

timeconsuming o ccur check The rst pap er on this was by Plaisted

Plaisted with a very complex and hard to follow metho d A more

semanticsbased metho d was presented in Sndergaard

Other analyses The dierence list transformation can sp eed programs

up by nonlinear factors and can b e applied systematically but it can

also change program semantics if used indiscriminately Analyses to de

termine when the transformation may b e safely applied are describ ed in

Marriott

Other uses include binding time analysis for oine partial evaluation

and deciding when certain optimizing transformations can b e applied One

example is deforestation Wadler

Metho ds of Analysis

Analysis metho ds can roughly b e divided into the pragmatically oriented

including Bruyno oghe Mellish and Nilsson and the

semantically oriented including Cortesi Debray Jones b

and Marriott

A natural analogue to the accumulating semantics seen earlier was used

in Jones b and a number of later pap ers and presumes given a se

quence of clauses and a single query It is a sticky semantics in which

the program p oints are the p ositions just b efore each clause goal or the

query and at the end of each clause and the query With each such p oint

is accumulated the set of all substitutions that can obtain there during

computations on the given query so those for the query end describ e the

answer substitutions

Approximation of substitutions and unication These are nontriv

ial problems for several reasons One is renaming each clause is implicitly

universally quantied over all variables app earing in it so unication of a

predicate call with a clause head requires renaming to avoid name clashes

and the same variable may app ear in many incarnations during a sin

gle program execution Many approximations merge information ab out all

incarnations into a single abstraction but this is not safe for all analyses

Aliasing is also a problem since variables may b e b ound to one another

so binding one will change the bindings of all that are aliased with it Terms

containing free variables have the same problem binding one variable will

change the values of all terms containing it

Finally unication binds variables to structured terms so approxima

tions that do not disregard structure entirely have some work to do to

obtain nite descriptions A recent example is Heintze

Marriott is interesting in two resp ects it uses the metalanguage

approach describ ed in this work in Section and it uses sets of constraints

instead of substitutions reducing some of the technical problems just men tioned

5 Glossary

abstraction function Usually a function from values or sets of values to

abstract values such as EVEN ODD See adjoined pair

accumulating semantics A semantics that mo dels the set of values that

a standard semantics or instrumented semantics may pro duce The

functionality of commands might b e P StoP Sto and the pro

gram description might b e Pla P Sto where Pla is the domain

of program p oints or places

adjoined pair A pair of functions D E E D that satises d v e

if and only if d v e The rst comp onent is often called an abstrac

tion function or a lower adjoint and the second comp onent is called

a concretization function or an upper adjoint

backward Used for an analysis where the program is analysed in the

opp osite direction of the ow of control an example b eing liveness

analysis see glossary In Section this is formalized by interpreting

as where DE means ED

collecting semantics Has b een used to mean sticky semantics as well as

lifted or accumulating semantics so some confusion as to its exact

meaning has arisen in the literature

concretization function Usually a function from abstract values such

as EVEN ODD to sets of concrete values See adjoined pair

context A description of how a computed value will b e used in the re

mainder of the computation Used in backwards analysis of functional

programs

correctness Given a relation of theoretical or implementational imp or

tance correctness amounts to showing that the prop erties obtained

by abstract interpretation always have this relation to the standard

semantics

core semantics See factored semantics

duality principle The principle of lattice theory saying that by changing

the partial order from v to w one should also change least xed

p oints to greatest xed p oints and least upp er b ounds to greatest

lower b ounds and that then the same information results

factored semantics The division of a denotational semantics into two

parts a core assigning terms to every language construct but with

some details left unsp ecied and an interpretation giving the mean

ings of the omitted parts Often used to compare the correctness of

one abstract interpretation with resp ect to another abstract interpre

tation

rstorder Used for an analysis where the prop erties directly describ e

actual values An example is detection of signs where the prop erty

describ es the values etc

forward Used for an analysis where the program is analysed in the same

direction as the ow of control In Section this is formalized by

interpreting as

indep endent attribute metho d Used for an analysis where the com

p onents of a tuple are describ ed individually ignoring relationships

among comp onents In Section this is formalized by interpreting

induced prop erty transformer An analysis that is obtained from a

standard semantics or another analysis in a certain way that is guar

anteed to pro duce an optimal analysis over a given selection of prop

erties

instrumented semantics A version of the standard semantics where

more op erational detail is included In general an instrumented se

mantics constrains the implementation of a language as dened by

its standard semantics

interpretation See factored semantics

lax functor A mo dication of the categorical notion of functor in that

certain equalities are replaced by inequalities

lifted semantics Another term for the accumulating semantics

live variable A variable whose variable may b e used later in the current

computation

logical relation A relation constructed by induction on a type structure

in a certain natural way

minimal function graph An interpretation that asso ciates to each user

dened function in a program a subset of S S that indicates those

argumentresult pairs which are actually involved in computing out

puts for a given input to a program

relational metho d Used for an analysis where the interrelations among

comp onents of a tuple are describ ed eg X Y In Section

this is formalized by interpreting as tensor pro duct

representation transformation A function that maps values or prop

erties to prop erties eg an abstraction function

safety Essentially the same as correctness but emphasizing that the re

sults of an analysis may b e used for program transformation without

changing semantics Often used when the correctness of one abstract

interpretation is established with resp ect to another abstract inter

pretation

secondorder Used for an analysis where the prop erties do not directly

describ e actual values but rather some asp ects of their use An ex

ample is liveness where the prop erty live do es not describ e any value

but rather that the value might b e used in the future computations

standard semantics A semantics where as few implementation consid

erations as p ossible are incorp orated The functionality of commands

might b e StoSto

static semantics Has b een used to mean sticky lifted semantics but this

usage conicts with the distinction b etween static and dynamic se

mantics

sticky semantics Used for a semantics which binds program p oints to

various information sticky in the sense of ypap er In a sticky

semantics a command might b e of functionality StoPlaP Sto

where Pla is the domain of program p oints or places

strict function f V V W is strict in its ith argument if

f v v v v for all v V

i i n i i

tensor pro duct An op eration on algebraic lattices that may b e used

to formalize the notion of relational method When formulated in the

categorical framework as is natural when recursive types are to b e

considered the concept of lax functor is necessary

REFERENCES

References

Abramsky SAbramsky Strictness analysis and p olymorphic in

variance Programs as Data Objects Proceedings

of the Workshop on Programs as Data Objects Copen

hagen volume of Lecture Notes in Computer Science

SpringerVerlag

Abramsky Abstract Interpretation of Declarative Languages

SAbramsky and CHankin eds Ellis Horwoo d

Abramsky SAbramsky Abstract interpretation logical relations

and Kan extensions Journal of logic and computation

Aho Sethi and Ullman AVAho RSethi JDUllman Compil

ers Principles Techniques and Tools AddisonWesley

Ammann J urgenAmmann Elemente der Pro jektionsAnalyse f ur

Funktionen hohererOrdnung MScthesis University of

Kiel forthcoming

Bandelt HJBandelt The tensor pro duct of continuous lattices

Mathematische Zeitschrift

Barendregt et al Term graph rewriting In J W de Bakker A J

Nijman P C Treleaven eds PARLEParallel Archi

tectures and Languages Europe Lecture Notes in Com

puter Science vol SpringerVerlag

Bloss and Hudak P Hudak A Bloss The Aggregate Up date Prob

lem in Functional Programming Proc th ACM Sym

posium on Principles of Programming Languages

Bondorf A Bondorf Automatic autopro jection of higher order

recursive equations Science of Computer Programming

Bruyno oghe M Bruyno oghe A Practical Framework for the Ab

stract Interpretation of Logic Programs Journal of Logic

Programming

Burn GLBurn CHankin SAbramsky Strictness Analysis

for HigherOrder Functions Science of Computer Pro

gramming

REFERENCES

Cortesi ACortesi GFile WWinsb orough Prop Revisited

Prop ositional Formulas as Abstract Domain for Ground

ness Analysis Proceedings th Annual Symposium on

Logic in Computer Science

Cousot a PCousot RCousot Abstract Interpretation a Uni

ed Lattice Mo del for Static Analysis of Programs by

Construction or Approximation of Fixp oints Proc th

ACM Symposium on Principles of Programming Lan

guages

Cousot b PCousot RCousot Automatic Synthesis of Optimal

Invariant Assertions Mathematical Foundations Proc

ACM Symposium on Articial Intel ligence and Program

ming Languages

Cousot c PCousot RCousot Static Determination of Dy

namic Prop erties of Recursive Pro cedures IFIP Working

Conference on Programming Concepts NorthHolland

Cousot PCousot NHalbwachs Automatic Discovery of Lin

ear Restraints Among Variables of a Program Proc th

ACM Symposium on Principles of Programming Lan

guages

Cousot PCousot RCousot Systematic Design of Program

Analysis Frameworks Proc th ACM Symposium on

Principles of Programming Languages

Curien PLCurien Categorical Combinators Sequential Algo

rithms and Functional Programming Wiley

Darlington RM Burstall and J Darlington A transformation

system for developing recursive programs Journal of

the ACM January

Debray S Debray Dataow Analysis of Logic Programs Re

p ort SUNY at Stony Bro ok New York

Deutsch A Deutsch On Determining Lifetime and Aliasing of

Dynamically Allo cated Data in Higher Order Functional

Sp ecications in Proceedings of the Seventeenth Annual

ACM Symposium on Principles of Programming Lan

guages ACM Press

Dijkstra EW Dijkstra A Discipline of Programming Prentice Hall

REFERENCES

DonzeauGouge V DonzeauGouge Utilisation de la Semantique

denotationelle p our letude dinterpretations non

standard INRIA rapp ort

Dyb jer PDybjer Inverse Image Analysis Proc ICALP Lec

ture Notes in Computer Science SpringerVerlag

Fosdick LD Fosdick L Osterweil Data Flow Analysis in Soft

ware Reliability Computing Surveys

Foster M Foster Software Validation using Abstract Inter

pretation in Abstract Interpretation of Declarative Lan

guages edited by S Abramsky and C Hankin

Ellis Horwoo d Chichester England

Gordon MJCGordon The Denotational Description of Pro

gramming Languages An Introduction SpringerVerlag

Granger P Granger Static Analysis of Linear Congruence Equal

ities among Variables of a Program in Proceedings of

the Fourth International Joint Conference on the The

ory and Practice of Software Development TAPSOFT

Lecture Notes in Computer Science

SpringerVerlag

Hecht MS Hecht Flow Analysis of Computer Programs El

sevier NorthHolland

Heintze NHeintze Set Based Program Analysis Carnegie

Mellon PhD thesis

Hudak PHudak JYoung Collecting interpretation of expres

sions ACM Transactions on Programming Languages

and Systems April

Hughes J Hughes Strictness Detection in Nonat Domains

Proceedings of the Workshop on Programs as Data Ob

jects Copenhagen volume of Lecture Notes in Com

puter Science SpringerVerlag

Hughes John Hughes Analyzing Strictness by Abstract Inter

pretation of Continuations in Abstract Interpretation of

Declarative Languages edited by S Abramsky and C

Hankin Ellis Horwoo d Chichester England

REFERENCES

Hughes John Hughes Backward Analysis of Functional Pro

grams Partial evaluation and mixed computation

NorthHolland

Hughes RJM Hughes J Launchbury Pro jections for Poly

morphic Strictness Analysis Mathematical Structures in

Computer Science

Jensen Thomas P Jensen Strictness analysis in logical form In

Proceedings of the Conference on Functional Pro

gramming Languages and Computer Architecture

Jensen Thomas P Jensen T Mogensen A Backwards Anal

ysis for Compile Time Garbage Collection In Proceed

ings of the European Symposium on Programming LNCS

SpringerVerlag

Jones NDJones AMycroft Dataow of Applicative Pro

grams Using Minimal Function Graphs Procth ACM

Symposium on Principles of Programming Languages

Jones a SS Muchnick ND Jones Flow Analysis and Opti

mization of Lisplike Structures in Program Flow Analy

sis eds SS Muchnick ND Jones PrenticeHall

Jones b ND Jones Flow Analysis of Lambda Expressions

ICALP Lecture Notes in Computer Science

SpringerVerlag

Jones ND Jones SS Muchnick A Flexible Approach to In

terpro cedural Data Flow Analysis and Programs with

Recursive Data Structuresin Proceedings of the th

ACM Symposium on Principles of Programming Lan

guages

Jones a Neil D Jones Flow Analysis of Lazy HigherOrder Func

tional Programs in Abstract Interpretation of Declara

tive Languages edited by S Abramsky and C Hankin

Ellis Horwoo d Chichester England

Jones b Neil D Jones Harald Sndergaard A SemanticsBased

Framework for the Abstract Interpretation of Prolog in

Abstract Interpretation of Declarative Languages edited

by S Abramsky and C Hankin Ellis Horwoo d Chichester England

REFERENCES

Jones Neil D Jones Peter Sestoft Harald Sndergaard Mix

A SelfApplicable Partial Evaluator for Exp eriments in

Compiler Generation Lisp and Symbolic Computation

Jones a ND Jones C Gomard P Sestoft Partial Evaluation

and Automatic Program Generation Prentice Hall In

ternational

Jones b ND Jones M Rosendahl Higher Order Minimal Func

tion Graphs DIKU rep ort

Kahn G Kahn Natural semantics In FJ Brandenburg

G VidalNaquet and M Wirsing editors STACS

th Annual Symposium on Theoretical Aspects of Com

puter Science Passau Germany Lecture Notes in Com

puter Science vol SpringerVerlag

Kam JB Kam JD Ullman Monotone Data Flow Analysis

Frameworks Acta Informatica

Kennedy KKennedy A Survey of Compiler Optimization in Pro

gram Flow Analysis eds SS Muchnick ND Jones

PrenticeHall

MacLane SMacLane Categories for the Working Mathematician

SpringerVerlag

Marriott K Marriott H Sndergaard Notes for a Tutorial

on Abstract Interpretation of Prolog Programs North

American Conference on Logic Programming

Marriott K Marriott H Sndergaard Prolog Program Transfor

mation by the Introduction of Dierencelists accepted

by ACM Transactions on Programming Languages and

Systems ACM

Marriott K Marriott H Sndergaard ND Jones Denotational

Abstract Interpretation of Prolog Programs in Proceed

ings of International Computer Science Conference

IEEE Computer So ciety

Masdupuy F Masdupuy Using Abstract Interpretation to Detect

Array Data Dep endencies in Proceedings of the Inter

national Symposium on Supercomputing Fukuoka

Mellish Abstract Interpretation of Prolog Programs in Abstract

Interpretation of Declarative Languages edited by S

REFERENCES

Abramsky and C Hankin Ellis Horwoo d

Mercouro N Mercouro An Algorithm for Analysing Commu

nicating Pro cesses in The Mathematical Foundations of

Programming Semantics Conference

Muchnick SS Muchnick ND Jones Program Flow Analysis

PrenticeHall

Mycroft A Mycroft Abstract Interpretation and Optimising

Transformations for Applicative Programs PhD thesis

Department of Computer Science University of Edin

burgh Scotland Also rep ort CST

Mycroft AMycroft FNielson Strong Abstract Interpretation

using Power Domains Proc ICALP Lecture Notes

in Computer Science SpringerVerlag

Mycroft Alan Mycroft Neil D Jones A relational framework for

abstract interpretation In H Ganzinger and N Jones

editors Proceedings of the Workshop on Programs as

Data Objects Copenhagen volume of Lecture Notes

in Computer Science SpringerVerlag

Mycroft AMycroft A Study on Abstract Interpretation and

Validating Micro co de Algebraically Abstract Inter

pretation of Declarative Languages SAbramsky and

CHankin eds Ellis Horwoo d

Naur P Naur Checking of Op erand Types in ALGOL Com

pilers BIT

Nielson FNielson A Denotational Framework for Data Flow

Analysis Acta Informatica

Nielson FNielson Towards Viewing Nondeterminism as Ab

stract Interpretation Foundations of Software Technol

ogy Theoretical Computer Science

Nielson FNielson Abstract Interpretation using Domain The

ory PhDthesis CST University of Edinburgh

Scotland

Nielson a FNielson Program Transformations in a Denotational

Setting ACM Transactions on Programming Languages

and Systems

REFERENCES

Nielson b FNielson Tensor Pro ducts Generalize the Relational

Data Flow Analysis Metho d Proc th Hungarian Com

puter Science Conference

Nielson a FNielson Abstract Interpretation of Denotational Def

initions Proc STACS Lecture Notes in Computer

Science SpringerVerlag

Nielson b FNielson Exp ected Forms of Data Flow Analysis Pro

grams as Data Objects Lecture Notes in Computer Sci

ence SpringerVerlag

Nielson c FNielson A Bibliography on Abstract Interpretation

ACM Sigplan Notices and Bul letin

of the EATCS

Nielson FNielson Towards a Denotational Theory of Abstract

Interpretation Abstract Interpretation of Declarative

Languages SAbramsky and CHankin eds Ellis Hor

woo d

Nielson a FNielson Strictness Analysis and Denotational Ab

stract Interpretation Information and Computation

Also see Procth ACM Symposium on

Principles of Programming Languages

Nielson b HRNielson FNielson Automatic Binding Time Anal

ysis for a Typed calculus Science of Computer Pro

gramming Also see Proc th ACM

Symposium on Principles of Programming Languages

Nielson c FNielson HRNielson level lifting Proc ESOP

Lecture Notes in Computer Science Springer

Verlag

Nielson d FNielson HRNielson The TMLapproach to

compilercompilers report IDTR The Tech

nical University of Denmark

Nielson FNielson TwoLevel Semantics and Abstract Interpre

tation Theoretical Computer Science Fundamental

Studies

Nielson a HRNielson FNielson Semantics with Applications A

Formal Introduction for Computer Science Wiley

REFERENCES

Nielson b FNielson HRNielson TwoLevel Functional Lan

guages Cambridge Tracts in Theoretical Computer Sci

ence Cambridge University Press

Nilsson U Nilsson Abstract Interpretation a Kind of Magic in

Programming Language Implementation and Logic Pro

gramming edited by J Maluszynski MWirsing Lec

ture Notes in Computer Science Springer

Verlag

Paulson LPaulson Compiler Generation from Denotational Se

mantics Methods and Tools for Compiler Construction

BLorho ed Cambridge University Press

Plaisted D Plaisted The OccurCheck Problem in Prolog in

Pro ceedings of the International Symp osium on Logic

Programming New Jersey

Plotkin GDPlotkin A p owerdomain construction SIAM Jour

nal on Computing

Plotkin GDPlotkin Lambda Denability in the Full Type

Hierarchy To HBCurry Essays on Combinatorial

Logic Lambda Calculus and Formalism JPSeldin and

JRHindley eds Academic Press

Plotkin GD Plotkin A structural approach to op erational se

mantics Technical Rep ort FN DAIMI Aarhus Uni

versity Denmark Reprinted

Pitt Category Theory and Computer Programming edited by

DPitt SAbramsky APoigne and DRydeheard Lec

ture Notes in Computer Science SpringerVerlag

Reynolds J Reynolds Automatic Computation of Data Set Def

initions Information Processing North

Holland

Reynolds JCReynolds On the Relation b etween Direct and Con

tinuation Semantics Proc ICALP Lecture Notes

in Computer Science SpringerVerlag

REFERENCES

Romanenko SA Romanenko Arity raiser and its use in program

sp ecialization In N Jones editor ESOP rd Eu

ropean Symposium on Programming Copenhagen Den

mark May Lecture Notes in Computer Science

vol SpringerVerlag

Rosendahl Mads Rosendahl Automatic Complexity Analysis In

Functional Programming Languages and Computer Ar

chitecture in FPCA Conference Proceedings

ACM Press

Schmidt DASchmidt Denotational Semantics A Methodology

for Language Development Allyn and Bacon

Sestoft P Sestoft Replacing function parameters by global vari

ables Masters thesis DIKU University of Cop enhagen

Denmark Octob er

Sestoft and Argo Peter Sestoft and Guy Argo Detecting Unshared

Expressions in the Improved Three Instruction Machine

November DIKU University of Cop enhagen Den

mark Submitted for publication

Sharir M Sharir A Pnueli Two Approaches to Interprocedu

ral Data Flow Analysis in Program Flow Analysis eds

SS Muchnick ND Jones PrenticeHall

Shivers O Shivers The Semantics of Scheme Controlow Anal

ysis in Partial Evaluation and SemanticsBased Pro

gram Manipulation SIGPLAN Notices ACM

Sintzo M Sintzo Calculating Prop erties of Programs by Valu

ations on Sp ecic Mo dels Proceedings ACM Conference

on Proving Assertions abourt Programs

Sndergaard H Sndergaard An Application of Abstract Interpre

tation of Logic Programs Occur Check Reduction Pro

ceedings of the European Symposium on Programming

SpringerVerlag

Steen BSteen Optimal Run Time Optimization Proved

by a New Lo ok at Abstract Interpretations TAPSOFT

Lecture Notes in Computer Science Springer

Verlag

Stoy JE Stoy Denotational Semantics The ScottStrachey

Approach to Programming Language Theory The MIT Press

REFERENCES

Stransky J Stransky A Lattice for Abstract Interpretation of

Dynamic LISPlike Structures Information and Com

putation Research rep ort LIXRR

Wadler P Wadler RJM Hughes Pro jections for Strict

ness Analysis In Gilles Kahn editor FPCA Func

tional Programming and Computer Architecture Port

land Oregon Sept Lecture Notes in Computer

Science vol SpringerVerlag

Wadler P Wadler Deforestation Transforming programs to

eliminate trees In H Ganzinger editor ESOP nd

European Symposium on Programming Nancy France

March Lecture Notes in Computer Science vol

SpringerVerlag

Wegbreit B Wegbreit Prop erty Extraction in Wellfounded Prop

erty Sets IEEE Transactions on Software Engineering