Design of Semantics by Abstract Interpretation

…/… Design of Semantics by Abstract Interpretation -- Abstraction of the relational into a nondeterministic Plotkin/- Smyth/Hoare denotational/functional semantics; -- Abstraction of the natural/demoniac relational into a determin istic denotational/functional semantics;Scott’ssemantics; Patrick COUSOT -- Abstraction of nondeterministic denotational semantics to weakest École Normale Supérieure precondition/strongest postcondition predicate transformer se DMI, 45, rue d’Ulm mantics; 75230 Paris cedex 05 Abstraction of predicate transformer semantics to à la Hoare France -- ax ;Programproofmethods; [email protected] iomatic semantics http://www.dmi.ens.fr/ cousot Extension to the λ-calculus. ˜ • MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, am Montag, dem 2. Juni 1997 um 14.15 Uhr 1

1 Extended version of the invited address at MFPS XIII, CMU, Pittsburgh, March 24, 1997

Content

Application of abstract interpretation ideas to the design of formal semantics: Examples of Abstract Interpretations Examples of abstract interpretations; • Abstraction of ﬁxpoint semantics; • -- Maximal trace semantics of nondeterministic transition systems; -- Abstraction of the trace into a natural/demoniac/angelic relational semantics; …/…

© P. Cousot 2 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 4 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Applications of Abstract Interpretation Program Analysis by Abstract Interpretation (Bit-vector) data flow analysis; • Mainly used for specifying program analyzers constructively derived Strictness analysis and comportment analysis (generalizing strictness, • • from a formal semantics; termination, projection and PER analysis); Such analyzers can be used to statically and fully automatically de Binding time analysis; • • termine run-time properties of programs; Pointer analysis; • Such run-time information can be used in complement to classical pro Set/grammar-based analysis; • • gram provers, model-checkers, … for program verification (abstract Data dependence analysis (e.g. for vectorization/parallelization); • debugging, …) and transformation (compiler optimization, partial Descriptive/soft and prescriptive (polymorphic) typing and type in • evaluation, parallelization, …); ference; We will show that abstract interpretation can be used to relate and Effect systems; • • design program semantics (and program proof methods). … •

Approximation Program Debugging by Abstract Interpretation Syntox 4, 5 by François Bourdoncle: interval analysis for Pascal • programs; The central idea of abstract interpretation 2, 3 is that of approxima • For abstract debugging,theusercanprovide: tion; • A program analyzer computes a finite approximation of the infinite -- Invariant assertions: {% … %}, • set of possible run-time behaviors of the program for all possible -- Intermittent assertions: {% … ? %} (termination is required by execution environments (inputs, interrupts, …); {% true ? %} before final end.), A program semantics specifies an approximation of the run-time At each program point the analysis provides for each numerical vari • • program behaviors in all possible execution environments abstracting able v acorrespondinginvariantintervalassertion(v[l..h]). A away from implementation details. star (*)ononeofthebounds(first: First Condition ,next: », previous: «)indicatesanecessary condition in the form of a run-time check to be inserted in the program for the user assertions to be sat 2 P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Conference Record of the Fourth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages,pages 238–252, Los Angeles, California, 1977. ACM Press, New York, New York, usa. isfied. A sharp # indicates a possible overflow. 3 P. Cousot and R. Cousot. Systematic design of program analysis frameworks. In Conference Record of the Sixth Annual ACM SIG PLAN-SIGACT Symposium on Principles of Programming Languages, pages 269–282, San Antonio, Texas, 1979. ACM Press, New York, New York, usa.

© P. Cousot 6 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 8 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 4 F. Bourdoncle, Abstract Debugging of Higher-Order Imperative Languages ,Proc.PLDI’93,ACMPress,1993,pp.46–55. 5 http://www.ensmp.fr/ bourdonc/syntox.tar.Z

© P. Cousot 10 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 12 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Arithmetic x =1mod2 • congruences 8: y =0mod2 ∧

Interval x [0, 2] mod 4 • ∈ congruences 9: y =[0, 1] mod 3 ∧

8 P. Granger. Static analysis of arithmetical congruences. Int. J. of Comp. Math.,30:165–190,1989. 9 F. Masdupuy. Semantic analysis of interval congruences. In D. Bjørner, M. Broy, and I.V. Pottosin, editors, Proc. FMPA,Academgorodok, Novosibirsk, Russia, LNCS 735, pages 142–155. Springer-Verlag, June 28–July 2, 1993.

Examples of independent numerical abstractions Examples of relational numerical abstractions

Signs 6: x>0 • 10 y>0 Linear equalities : 3x +4y =1 ∧ • −

Intervals 7:1x 5 • ≤ ≤ Simple sections 11:1x 5 1 y 4 • ≤ ≤ ∧ ≤ ≤ 1 y 4 ∧ ≤ ≤ 3 x + y 7 ∧ ≤ ≤

6 P. Cousot & R. Cousot. Systematic design of program analysis frameworks. In 6th POPL, pages 269–282, San Antonio, Texas, 1979. ACM Press. 10 M. Karr. Aﬃne relationships among variables of a program. Acta Inf. ,6:133–151,1976. 7 P. Cousot and R. Cousot. Static determination of dynamic properties of programs. In Proc. 2nd International Symposium on Programming, 11 V. Balasundaram and K. Kennedy. A technique for summarizing data access and its use in parallelism enhancing transformations. In pages 106–130. Dunod, 1976. SIGPLAN’89 PLDI, pages 41–53, Portland, Ore., June 21–23, 1989.

© P. Cousot 14 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 16 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Linear inequalities 12:3x + y 7 • ≥ 2x + y 11 ∧ ≤ y 1 ∧ ≥ x +3y 13 ∧ ≤

Linear 2x + y =1mod2 • Abstraction of Fixpoint Semantics congruences 13: y =0mod2 ∧

12 P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In 5th POPL,pages84–97,Tucson, Arizona, 1978. ACM Press. 13 P. Granger. Static analysis of linear congruence equalities among variables of a program. In S. Abramsky and T.S.E. Maibaum, editors, TAPSOFT’91, Proc. Int. Joint Conf. on Theory and Practice of Software Development ,Brighton,U.K.,Volume1(CAAP’91),LNCS493, pages 169–192. Springer-Verlag, 1991.

Trapezoidal congruences 14, 15: Fixpoint Semantics Specification D, F • & ' D, , , Semantic domain • & ( ⊥ *' -- D, poset & (' -- infimum ⊥ -- (partially defined) least upper bound * F D m D Total monotone semantic transformer • ∈ +−→ " The iterates of F from are assumed to be well-defined: F 0 = , • ⊥ ⊥ F δ+1 = F (F δ)andF λ =" F δ , λ limit ordinal; δ<*λ " The semantics is S =lfp( F = F $ where $ is the order of the • iterates (i.e. the least ordinal⊥ such that F (F $)=F $).

14 F. Masdupuy. Using abstract interpretation to detect array data dependencies. In Proc. International Symposium on Supercomputing,pages 19–27, Fukuoka, Japan, Nov. 1991. Kyushu U. Press. 15 F. Masdupuy. Array operations abstraction using semantic analysis of trapezoid congruences. In Proc. ACM International Conference on Supercomputing, ICS’92,pages226–235,WashingtonD.C.,July1992.

© P. Cousot 18 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 20 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Benefits of a Fixpoint Presentation of the Semantics By approximation, fixpoints directly lead to iterative program analy • sis algorithms 17, 18; Fixpoint presentation of the semantics is not always possible (without Many other equivalent possible presentations 16: • • further refinement of the semantic domain). -- equational, -- constraint, -- closure condition, -- rule-based, -- game-theoretic;

17 P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Conference Record of the Fourth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages,pages 238–252, Los Angeles, California, 1977. ACM Press, New York, New York, usa. 16 P. Cousot and R. Cousot. Compositional and inductive semantic definitions in fixpoint, equational, constraint, closure-condition, rule-based 18 P. Cousot and R. Cousot. Systematic design of program analysis frameworks. In Conference Record of the Sixth Annual ACM SIG and game-theoretic form, invited paper. In P. Wolper, ed., Proc. 7th Int. Conf. on Computer Aided Verification, CAV ’95,LNCS939,pp PLAN-SIGACT Symposium on Principles of Programming Languages, pages 269–282, San Antonio, Texas, 1979. ACM Press, New York, 293–308. Springer-Verlag, 3–5 July 1995. New York, usa.

Fixpoints directly lead to proof methods, e.g.: Abstraction of Fixpoint Semantics • -- Scott induction: Concrete semantics fixpoint semantics: • -- D, concrete semantic domain P ( ) X : P (X) P (F (X)) P admissible & (' ⊥ ∧∀ ⇒ ∧ S[[ τ ]] D concrete semantics of τ ( -- P (lfp F ) ∈" m ⇒ ( (with the⊥ hypotheses of Kleene’s fixpoint theorem); =lfp F where F D D is -monotonic ⊥ ∈ +−→ ( Abstraction function: α D D' -- Park induction: • ∈ +−−→ ( Abstract semantics fixpoint semantics: lfp F P • ' ⊥ ( -- D abstract semantic domain I : F (I) I I P " ⇐⇒ ∃ ( ∧ ( -- S'[[ τ ]] = α(S[[ τ ]] ) D' abstract semantics of τ (with the hypotheses of Tarski’s fixpoint theorem). ∈ Fixpoint characterization problem: • m -- Find ' and F ' D' D' , '-monotonic such that: ( ∈ +−→ ( ' α ( F ( F ' (lfp )=lfp' ⊥ ⊥

© P. Cousot 22 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 24 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Kleene Fixpoint Transfer Theorem Convergence

( ( ' ' If ,F and ,F are semantic speciﬁcations and ' &D ' &D ' The convergence of the abstract iterates for F (at $2)isatleastasfast α( ()= ' as the convergence of the concrete iterates for F (at $ ,i.e.$2 $). ⊥ ⊥ ≤ ' ( F α = α F Proof ◦ ◦ ( ( ( ( ' ( ($ ($ -increasing chains Xκ, κ " : α( Xκ)= α(Xκ) F (X )=X hypothesis ! ! $ $ ∀( ∈ κ " κ " α(F (X( )) = α(X( ) ∈ ∈ ⇒ ' ($ ($ ' ( F (α(X )) = α(X )sinceF ◦ α = α ◦ F then ⇒ $ $ $ $ F '(X' )=X' since X' = α(X( ) ( ' ⇒ ( ' $2 $ α(lfp( F )=lfp( F ⇒ ≤ 2 The condition F ' α = α F ( provides guidelines for designing Note: ◦ ◦ F ' when knowing F ( and α.

Sketch of Proof of Kleene Fixpoint Transfer Theorem Abstraction function

An important particular case of abstraction function: • α (, ( ', ' ∈&D ( ' +−−→ & D ( ' is when α preserves existing lubs:

( ' α"# xi$ = # α(xi) i " i " ∈ ∈ In this case there exists a unique γ ', ' (, ( such • ∈&D ( ' +−−→ & D ( ' that the pair α, γ is a Galois connection. & '

© P. Cousot 26 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 28 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Galois Connection Tarski Fixpoint Transfer Theorem

Given posets (, ( and ', ' ,aGalois connection is a pair &D ( ' &D ( ' If (, (, (, ( and ', ', ', ' are complete lattices, F ( of maps such that: &Dm ( ⊥ * ' m &D ( ⊥ * ' ∈ ( ( , F ' ' ' are monotonic and α ( ' D +−→ D ∈ D +−→ D ∈ D +−−→ D – α is a complete -morphism (a) γ ' ( 6 ∈ D +−−→ D – F ' α ' α F ( (b) ( ' ' ( ◦ ( ◦ x : y : α(x) y x γ(y) – y ' : F '(y) ' y x ( : α(x)=y F ((x) ( x (c) ∀ ∈ D ∀ ∈ D ( ⇔ ( ∀ ∈ D ( ⇒∃ ∈ D ∧ ( in which case we write: γ then (, ( ', ' &D ( ' −←−−−−α→− &D ( ' ( ' α(lfp( F ()=lfp( F ' If α is surjective then we have a Galois insertion and write: γ (, ( ', ' &D ( ' −←−−−−−α−→ →− &D ( '

Example of Galois Connection: Elementwise Abstraction Proof If ( ( • (d) F (x) x @ ( ' ( -- α F ((x) ( α(x)sinceα is monotonic by (a) ∈ D +−−→ D( ' ◦ -- α ℘( ) ℘( ) ⇒ ' (( ∈" D +−−→ D F α(x) α(x)by(b) α(X) = @(x) x X ⇒ ◦ ( { | ∈ } -- γ ℘( ') ℘( () ∈ D +−−→ D ( ( ' ' γ(Y ) =" x @(x) Y (e) α(x) F (x) x = y F (y) y by (c) and (d) { | ∈ } { | ( } { | ( } then γ ℘( (), ℘( '), & D ⊆' −←−−−−α→− & D ⊆' (f) ' α(x) F ((x) ( x = ' y F '(y) ' y by (e) 6 { | ( } 6 { | ( } If @ is surjective then so is α. α( ( x F ((x) ( x )= ' y F '(y) ' y by (a) ⇒ 6 { | ( ( } 6 {' | ( } Proof α(X) Y @(x) x X Y x X : @(x) Y ( ' ⊆ ⇔ { | ∈ } ⊆ ⇔∀ ∈ ∈ α(lfp( F )=lfp( F by Tarski’s ﬁxpt th. X x @(x) Y X γ(Y ). 2 ⇒ ⇔ ⊆ { | ∈ } ⇔ ⊆ 2

© P. Cousot 30 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 32 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Sequences Finite Sequences non-empty alphabet •A- " 0 = -ε empty sequence •A " { } -n =[0,n 1] when n>0finitesequences •A − +−−→ A Trace semantics of length n " N+ = n N n>0 positive naturals • { ∈ | } +- " -n = % non-empty finite sequences •A A n N+ ∈ " -/ = +- -ε finite sequences •A A ∪ { } " The length of a finite sequence σ -n is σ = n; • ∈ A | |

Transition System Inﬁnite Sequences

" Atransitionsystemisapair ,, τ where: -ω = N infinite sequences • & ' •A +−−→ A -- , is a (non-empty) set of states, - =" -/ -ω sequences •A∞ A ∪ A -- We could also consider actions as in process algebra, - " +- -ω ∝ = non-empty sequences -- τ , , is the binary transition relation between a state and its •A A ∪ A " ⊆ × The length of an infinite sequence σ -ω is σ = ω possible successors; • ∈ A | | We write s τ s or τ (s, s )for s, s τ using the isomorphism • 2 2 & 2'∈ ℘(, ,) (, ,) B; " × 8 × +−−→ B = tt , ff is the set of boolean values; • " { } τˇ = s , s , : (s τ s ) is the set of final/blocking states. • { ∈ | ∀ 2 ∈ ¬ 2 }

© P. Cousot 34 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 36 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Junction of Finite Sequences 3 α0 ...α2 ... ? β0 ...βm 1 is true 3 − Joinable non-empty finite sequences: α0 ...α2 ... ? β0 ...βm ... is true • 3 3 α0 ...α2 1 ? β0 ...βm ... iff α2 1 = β0 α0 ...α2 1 ? β0 ...βm 1 iff α2 1 = β0 − − − − − Their join is: • Their join is: 3 " • α0 ...α2 ... β0 ...βm 1 = α0 ... α2 … α0 ... α2 1 − − 3 " = α0 ...α2 ... β0 ...βm ... = α0 ... α2 … β0 β1 ... βm 1 α0 ... α2 1 3 " − − α0 ...α2 1 β0 ...βm 1 = α0 ... α2 1 β1 ... βm 1 = − − − − β0 β1 ... βm ... 3 " α0 ...α2 1 β0 ...βm ... = α0 ... α2 1 β1 ... βm ... − −

Junction of Inﬁnitary Sequences Junction of Sets of Sequences

Joinable inﬁnitary sequences: • - For sets A and B ℘( ∝)ofnon-emptysequences,wehave: • " ∈ A -- A 3 B = α 3 β α A β B α 3? β junction 3 { | ∈3 ∧ ∈ ∧ 3} 3 A " & Bi$ = & (A Bi)and" & Ai$ B = & (Ai B) • i " i " i " i " ∈ ∈ ∈ ∈ Not co-continuous on ℘( - ) ! Counter example ( = a ): • A∝ A { } -- A = aω , { 2} -- Bn = a 2 N 2 >n , n N is a -decreasing chain, 3 { | ∈ ∧ } ∈3 ⊆ ω -- A " ' Bn$ = and " ' A Bn$ = a . n N ∅ n N { } ∈ ∈

© P. Cousot 38 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 40 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Trace Semantics ⊆ +- -i +- Sketch of Proof of lfp F = & τ = τ ∅ i N+ ∈ ,, τ transition system • & ˙ " ' τ -n = σ ,-n i

- -ω Fixpoint Characterization of τ + Fixpoint Characterization of τ (ﬁnite complete execution traces) (inﬁnite execution traces)

- - τ + =lfp⊆ F + -ω -ω ∅ τ =gfp⊆ F ,-ω where the set of ﬁnite traces transformer F +- is: where the set of inﬁnite traces transformer F -ω is: ˙ +- " -1 -2 3 ˙ F (X) = τ τ X -ω " -2 3 ∪ F (X) = τ X

Note: F +- is a complete -morphism: F +- (X )=F +- ( X ). -ω -ω -ω & i & i Note: F is a complete -morphism: ' F (Xi)=F (' Xi). ∪ i i ∩ i i

© P. Cousot 42 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 44 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 ˙ gfp⊆ F -ω τ-n 3 ,-ω τ -ω then: Sketch of Proof of -ω = ' = , n N ℘(, - ), - , - , - is a complete lattice (resp. cpo) ∈ • & ∞ (∞ ⊥∞ *∞' F - is monotonic (resp. continuous, a complete join morphism) • ∞ - +- -ω lfp(∞ F - =lfp( F +- lfp( F -ω • - ∞ - ∪ - ⊥∞ ⊥∞ ⊥∞

(Trivial) bi-fixpoint theorem Approximation and Computational Orderings If +- -ω - , , , is a partition of ,∞ • - - - - +- +- +- +- -ω -ω -ω -ω ℘(,∞), ∞, ∞, ∞ is a complete lattice (or cpo) for the com ℘(, ), , , (resp. ℘(, ), , , )isacom • & ( ⊥ * - ' • & ( ⊥ * ' & ( ⊥ * ' putational ordering ∞; plete lattice (resp. cpo) - ( ℘(,∞), , , is a complete lattice for the approximation or F +- ℘(,+- ) m ℘(,+- ) (resp. F -ω ℘(,-ω) m ℘(,-ω)) is • & ⊆ ∅ ∪' • ∈ +−→ ∈ +−→ dering (logical implication); monotonic (resp. continuous, a complete join morphism) ⊆ - Sometimes further abstractions identify ∞ and (e.g. strictness " " • ( ⊆ X+- = X ,+- , X-ω = X ,-ω analysis). • ∩ ∩ " F - (X) = F +- (X+- ) F -ω(X-ω) • ∞ ∪ " X - Y = X+- +- Y +- X-ω -ω Y -ω • (∞ ( ∧ ( " - = +- -ω • ⊥∞ ⊥ ∪⊥ - " +- +- -ω -ω !∞ Xi = ! Xi ! Xi • i i ∪ i © P. Cousot 46 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 48 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 - Fixpoint Characterization of τ ∞ Scott’s thesis (slightly revisited) (complete execution traces) The semantics of a program can be expressed as the least fixpoint of a - - - ∞ continuous operator (even in presence of unbounded nondeterminism), τ - = τ + τ -ω =lfp⊆ F + lfp⊇ F -ω =lfp( F - ∞ -ω - ∞ ∪ ∅ ∪ , ,∞ for a sufficiently refined semantic domain. by the bifixpoint theorem where the set of complete traces transformer - F ∞ is: ˙ - " -1 -2 3 F ∞(X) = τ τ X Proof ∪ - " +- +- -ω -ω F ∞(X) = F (X ) F (X ) - -˙ ∪ -˙ = τ 1 τ 2 3 X+- τ 2 3 X-ω - ∪ -˙ ∪ = τ 1 τ 2 3 (X+- X-ω) - ∪ -˙ ∪ = τ 1 τ 2 3 X ∪ 2

- Continuity of the trace transformer F ∞(X) Unbounded non-determinism does not imply absence of continuity of the transformer of the ﬁxpoint semantics: Proof

- - ˙ ∞ - ∞ -1 -2 3 F ∞(X )= τ τ X # i # ∪ i Transition Versus Trace Semantics i i - -˙ -˙ = (τ 1 τ 2 3 X +- ) (τ 2 3 X -ω) % ∪ i ∪ ( i i i - -˙ = τ 1 τ 2 3 ( X +- X -ω) ∪ % i ∪ ( i i i - - ∞ = F ∞(# Xi) i 2

© P. Cousot 50 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 52 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Maximal Trace Semantics/Transition Semantics

The transition/small-step operational semantics is an abstraction of the maximal trace semantics:

τ = ατ (τ - ) ∞ Relational Semantics where τ " the abstraction collects possible transitions α (T ) = s, s2 σ • -/ - {& ' | ∃ ∈ , : σ ,∝ : σ ss σ T ; ∃ 2 ∈ · 2 · 2 ∈ } τ " - the concretization builds maximal execution traces γ (t) = t∞; • γτ - ℘(,∞), ℘(, ,), . • & ⊆' −←−−−−−α−→τ →− & × ⊆'

The Transition Abstraction is Approximate Finite Relational Abstraction

In general: Replace ﬁnite execution traces σ0σ1 ...σn 1 by their initial/ﬁnal states τ τ − T ! γ (α (T )) σ0, σn 1 : & − ' Counter-example: @+ ,+- (, ,) n • ∈ +−−→ × -- set of fair traces T = a b n N + " -n { | ∈ } @ (σ) = σ0, σn 1 , n N+ , σ , -- ατ (T )= a, a , a, b & − ' ∈ ∈ {& ' & '} + " + -- γτ (ατ (T )) = anb n N aω is unfair for b. α (X) = @ (σ) σ X { | ∈ } ∪ { } • " { | ∈ } γ+(Y ) = σ @+(σ) Y { | γ+ ∈ } ℘(,+- ), ℘(, ,), • & ⊆' −←−−−→−−−−α+−→− & × ⊆'

© P. Cousot 54 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 56 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Finitary Relational Semantics α+ is a -morphism but not co-continuous hence not acomplete • ∩ of a Transition System ,, τ -morphism. & ' ∩ Proof " Finitary relational / big-step operational / natural semantics: -- Xk = anb n k • k { | ≥ } -- X ,k N+ is -decreasing + " + +- + +- ∈ ⊆ τ = α (τ )=α (lfp⊆ F ) α+(Xk)= a, b = a, b -- 'k N+ 'k N+ ∅ ∈ ∈ {& '} {& '} Xk = since anb Xk for n N is in contra -- 'k N+ 'k N+ + Fixpoint characterization: ∈ ∅ ∈ ∈ ∈ • diction with anb Xn+1 ?∈ + ⊆ + α+( Xk)=α+( )= τ =lfp F -- 'k N+ ∈ ∅ ∅ " ∅ 2 F +(X) =ˇτ τ X ◦ " ∪ It follows that Tarski ﬁxpoint transfer would not have been applicable. τˇ = s, s , s , : (s τ s ) • {& '∈ | ∀ 2 ∈ ¬ 2 }

Proof Infinitary Relational Abstraction " -- α+( ) = @+(σ) σ = ∅ { | ∈∅} ˙∅ + +- + -1 -2 3 α F = λX • α (τ τ X) Replace infinite execution traces σ0σ1 ...σn ... by their initial state -- ◦ ∪ ˙ + -1 + -2 3 σ0, ,makingnon-terminationbyScott’s : = λX • α (τ ) α (τ X) & ⊥' ⊥ ∪ ˙ ω -ω 19 + -2 3 @ , , = λX • s, s , s2 , : (s τ s2) α (τ X) • ∈ +−−→ × {⊥} {& '∈ | ∀ ∈ ˙¬ } ∪ + 3 -2 3 , non-termination notation λX • τ η ξ η τ ξ X η ? ξ ⊥ ?∈ = ˇ @ ( ) ω " -ω ∪ { | ∈ ∧ ∈ ∧ } -n @ (σ) = σ0, , σ , = λX • τˇ η0, ξn 1 η0 τξ0 n N+ ξ X , & ⊥' ∈ ∪ {& − ' | ∧ ∈ ∧ ∈+ ∩ } ω " ω = λX • τˇ s, s2 s22 : s τ s22 s22,s2 α (X) α (X) = @ (σ) σ X ∪ {& +' | ∃ ∧& '∈ } • " { | ∈ } = λX • τˇ τ α (X) ω ω ∪ ◦ γ (Y ) = σ @ (σ) Y = F + α+ { | ω ∈ } ◦ -ω γ + ℘(, ), ℘(, ), -- α is continuous (Galois connection) • & ⊆' −←−−−−−−α−→ω →− & × {⊥} ⊆' - -- τ + = α+(lfp⊆ F +)=lfp⊆ F + by Kleene’s fixpoint transfer th.

∅ ∅ 19 or isomorphically αω ℘(#"ω) ℘(#). 2 ∈ +−−→

© P. Cousot 58 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 60 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 αω is a complete -morphism (Galois connection, hence continuous) Proof • ∪ and a -morphism but not co-continuous. αω is a complete -morphism (G.c.) hence a complete meet mor ∩ • ∪ Proof phism for . ˙ " ω -ω ⊇ ω -2 3 k n ω α F = λX • α (τ X) -- X = a b n k ◦ ˙ { | ≥ } • ω 3 -2 3 k = λX • @ (η ξ) η τ ξ X η ? ξ -- X ,k N+ is -decreasing { | ∈ ∧ ∈ ∧ } ∈ ⊆ = λX • η , η τξ ξ X -- αω(Xk)= a, = a, 0 0 0 'k N+ 'k N+{& ⊥'} {& ⊥'} {& ⊥' | ∧ ∈ } ω ∈ k ∈n ω k = λX • s, s2 : s τ s2 s2, α (X) -- X = since a b X for n N+ is in contra {& ⊥'ω | ∃ ∧& ⊥' ∈ } 'k N+ 'k N+ = λX • τ α (X) ∈ n∅ ω n+1 ∈ ∈ ∈ ◦ diction with a b X = F ω αω ?∈ ◦ αω( Xk)=αω( )= ω -ω -- 'k N+ We prove that Y ℘(, ):F (Y ) Y X , : ∈ ∅ ∅ • ∀ ∈ × {⊥} ⊇ ⇒∃ ∈ 2 αω(X)=Y F -ω(X) X: " ∧ ⊇ It follows that Kleene dual ﬁxpoint transfer does not apply. -- X = σ τ -ω i N : σ , Y • { ∈ | ∀ ∈ & i ⊥' ∈ } -- We ﬁrst prove that αω(X)=Y : αω(X) Y is obvious since σ X implies σ , Y . ∗ ⊆ ∈ & 0 ⊥' ∈ © P. Cousot 61 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 63 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997

Inﬁnitary Relational Semantics Y αω(X) ∗ ⊆ of a Transition System ,, τ (a) Y F ω(Y )=τ Y = s, s : s τ s s , Y & ' ⊆ ◦ {& ⊥' | ∃ 2 2 ∧& 2 ⊥' ∈ } (b) If σ ...σn is such that σ τσ , i

- " Transition system ,, τ : α∞ ℘(,∞) ℘(, , ), , = , • " & ' • ∈ " +−−→ × ⊥ ⊥ ∪ {⊥} , = s s 0 j i α (X) = α+(X+- ) αω(X-ω)whereX+ = X (, ,) { } ∪ { ij | ≤ ≤ } ∞ ∪ ∩ × elements of , are distinct and Xω = X (, ) ∩ × {⊥} two by two Biﬁnite relational semantics: • " τ = s, s i 0 " - {& ii' | ≥ } ∪ τ ∞ = α∞(τ ∞) sij,sij 1 0

Iterates: F ω(X)=τ X Fixpoint Bifinite Relational Semantics • ◦ X0 = s, s , 0 j i of a Transition System ,, τ -- ij & ' 1 {&ω ⊥'0} ∪ {& ⊥' | ≤ ≤ } -- X = F (X )= s, s , 1 j i " {& ⊥'} ∪ {& ij ⊥' | ≤ ≤ } τ = τ + τ ω … • ∞ ∪ ⊆ ⊇ n =lfp λX • τˇ τ X lfp λX • τ X -- X = s, s , n j i ◦ , ◦ ij ∅ ∪ ∪ ×{⊥} {& ⊥'} ∪ {& ⊥' | ≤ ≤ } ∞ … =lfp( F ∞ by the bi-fixpoint theorem, where: ω n ⊥∞ -- X = 'n N X = s, " + ω + ω ∈ {& ⊥'} F ∞(X) = λX • τˇ τ X τ X = λX • τˇ τ (X X ) -- Xω+1 = F ω(Xω)= =gfp⊆ F ω = τ ω • ∪ ◦ ∪ ◦ ∪ ◦ ∪ , = λX • τˇ τ X ∅ ×{⊥} ∪ ◦ " + + ω ω X ∞ Y = X Y X Y • ( " ⊆ ∧ ⊇ = (, )=, • ⊥∞ ∅∪ × {⊥} × {⊥} " + ω !∞ Xi = & Xi ' Xi • i i ∪ i ℘(, , ), ∞, ∞, ∞ is a complete lattice. • & × ⊥ ( ⊥ * ' © P. Cousot 66 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 68 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Abstraction by Parts Natural Fixpoint Denotational/Functional Nondeterministic Semantics of a Transition System ,, τ & ' - τ = α (lfp(∞ F - )=lfp(∞ F ∞ ∞ - ∞ ∞ ∞ ( " ( ⊥∞ ⊥ τ = α (τ ) + ∞ The finitary part transfers through α by Kleene’s fixpoint transfer • ˙ ( • =lfp( F ( theorem (but Tarski’s one is not applicable); ˙( ω ⊥ The infinitary part transfers through α by Tarski’s fixpoint transfer ( " • F (f) = λs•( s2 , : (s τ s2)? s theorem (but Kleene’s one is not applicable); • ∀ ∈ ¬ { } s2 s22 , : s τ s22 s2 f(s22) ) The whole transfers through α by parts using the bifixpoint the |{ | ∃ ∈ ∧ ∈ } • ∞ orem (although Kleene’s and Tarski’s fixpoint transfer theorems are Proof not applicable). Trivial application of Kleene’s fixpoint transfert theorem for the com plete order-isomorphism α(. 2

Denotational/Functional Computational Ordering Nondeterministic Abstraction

" f ˙ ( g = γ((f) γ((g) We use the complete order isomorphism: ( (∞ = s, s s f(s) , s, s s g(s) , {& 2' | 2 ∈ ∩ } ⊆ {& 2' | 2 ∈ ∩ } ℘(, , ), , , , , s, s2 f(s)= s, s2 g(s)= & × (∞ ⊥∞ A∞ *∞ 6∞' ∧ {& ' | ⊥} ⊆ {& ' | ⊥} ⊥ γ( = s , : f(s)+ g(s)+ f(s)ω g(s)ω ∀ ∈ + " ⊆ ∧ ω ⊇" −←−←−−α−−−→( →− where X = X , and X = X ( ∩ ∩ {⊥} , ℘(, ), ˙ , ˙ (, ˙ (, ˙ (, ˙ ( = s , : f(s) ( g(s) & +−−→ ⊥ ( ⊥ A * 6 ' ∀ ∈ ( " where X ( Y = X+ Y + Xω Y ω deﬁned by the right-image of a relation: ( ⊆ ∧ ⊇

( This is not the classical Egli-Milner ordering! α (r)=λs• s , r(s, s ) { 2 ∈ | 2 } γ((f)= s, s s⊥ f(s) {& 2' | 2 ∈ }

© P. Cousot 70 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 72 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Orderings for the Nondeterministic Comparing the orderings ( and ˙ EM Denotational Semantics, , = a, b ( ( { } The lub ( provides a semantics to the parallel or: • * [[ P Q]] = [[ P ]] ( [[ Q]] || * (nontermination of P Q only if both P and Q do not terminate); || The lub EM may not be deﬁned. • *

Computational ordering ( Egli-Milner ordering EM ( ( :possibleiteratesofF (

Plotkin’s Fixpoint Fixpoint Iterates Reordering Denotational/Functional Nondeterministic Semantics of a Transition System ,, τ Let D, , , ,F be a fixpoint semantic specification; & ' • && ( ⊥ *' ' let E be a set and be a binary relation on E ,suchthat: • B ( " ( 1. is a pre-order on E; τ = α (τ ∞) B δ • ( ˙ EM 2. all iterates F , δ O of F belong to E; =lfp( F ( =lfp( F ( ∈ λs• λs• 3. is the -infimum of E; {⊥} {⊥} ⊥ B 4. the restriction F of F to E is -monotone; |E B Sketch of proof 5. for all x E ,ifλ is a limit ordinal and δ < λ : F δ x then ˙ EM δ ∈ ∀ B lfp( F ( exists since F ( is Egli-Milner monotonic and ! F x. λs• B • {⊥} δ<λ ℘(, ) , ˙ EM is a cpo; & ⊥ − {∅} ( ' Then lfp( F =lfpB F E. ˙ EM ˙ ( • |E ∈ lfp( F ( =lfp( F ( since the iterates exactly coincide. ⊥ ⊥ • λs• λs• 2 {⊥} {⊥}

© P. Cousot 74 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 76 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Nondeterministic Smyth/Demoniac Denotational Examples of Other Possible Demoniac Iterate Orderings Semantics a, b { @ } ' " ' ( @ @@ a, b τ = α (τ )where a @ b @ { @ } • { }{@ } ' " @ @@ @ a b -- α (f) = λs• f(s) s2 , f(s) ; @ ∪ { ∈ | ⊥∈ } { } @ { } ' " ∅ @@ -- γ (g) = g. a, b, a, b, γ' { ⊥} { ⊥} ˙ ˙ Demoniac ordering ' Demoniac ordering ♦ , ℘(, ), , (℘(,) , ), . ( ( • & +−−→ ⊥ ⊆' −←−−−−−α−→' →− & +−−→ ∪ { ⊥} ⊆' a a, b b a @ b A ¡ A}{ ¡}{ }{ @ { }{@ } A ¡ @ A ¡ a, b A ¡ A ¡ { } A¡ a, b, a, b, { ⊥} { ⊥} Smyth ordering S Flat ordering ! ( (

Demoniac Denotational Semantics in Fixpoint Form Minimality of D˙ !, ˙ ! & ( ' ˙ ! τ ' =lfp( F ( ˙! where: ⊥ Let E, # be any poset such that: • ˙ !& ' ( " -- is the #-inﬁmum of E , F = λs•( s2 , : (s τ s2)? s ⊥ • ∀ ∈ ¬ { } ( " s s , : s τ s s f(s ) ) -- F [[ τ ]] = λs•( s2 , : (s τ s2)? s s2 s22 , : s τ 2 22 22 2 22 ∀ ∈ ¬m { }|{ | ∃ ∈ |{ | ∃ ∈ ∧ ∈ } s s f(s ) ) E E is -monotone, and The DCPO 20 D˙ !, ˙ !, ˙ !, ˙ ! is the restriction of the pointwise 22 ∧ 2 ∈ 22 } ∈ +−−→ # • & ( ⊥ * ' ' # ( extension of the ﬂat DCPO D!, !, !, ! ; -- τ : τ =lfp F [[ τ ]] ∀ ˙! & ( ⊥ * ' ⊥ D! =(" ℘(,) ) ! then: • " \{∅} ∪ {⊥ } D˙ ! E ! = , -- ,and ! ⊆ • ⊥ " ⊥ -- ˙ . D˙ ! = f , D! s, s , :(s f(s) f(s) = !) ( ⊆ # • { ∈ +−−→ | ∀ 2 ∈ 2 ∈ ∧ ? ⊥ ⇒ (s τˇ f(s )= s ) . 2 ∈ ∧ 2 { 2} } This is not the classical Smyth ordering! 20 Directed Complete POset.

© P. Cousot 78 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 80 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Hoare/Angelic Denotational Semantics Denotational/Functional Deterministic Abstraction s γ s s s " ℘(, ), , , , where s , : τ 7 =˙α7(τ () • & ⊥ ⊆' −←−−−−−α−→s →− & ∪ {⊥ A} ( ' ∀ ∈ ⊥( ⊥( • s s s s s 7 " α˙ (ϕ) = λs• ϕ(s) , ( ( A( A • ∩ 7 " s γ˙ (φ) = λs• φ(s) The abstraction α disregards nondeterminism: • ∪ {⊥} 7 • γ˙ " " , ℘(, ), ˙ , ℘(,), ˙ αs( ) = γs( ) = ←−−−7 − • & +−−→ ⊥ ⊆' −−−α˙−→ → & +−−→ ⊆' s ∅ " ⊥ ⊥ {⊥} ˙ α ( ) = 7 ⊆ ( ( {⊥} ⊥ τ =lfp F where F = λs•( s , : (s τ s )? s s " " • ˙ ∀ 2 ∈ ¬ 2 { }|{2 | αs( s )=αs( s, ) = s, s ,γs(s) = s, ∅ s , : s τ s s f(s ) ) is a complete ˙ -morphism on { } { ⊥} " ∈ " { ⊥} 22 22 2 22 αs X , γs , ∃ ∈ ∧ ∈ } ˙ ˙ ∪ ( ) = otherwise ( ) = the complete lattice , ℘(,), , , λs• ,, ˙ , ˙ which is the A A ⊥ & +−−→ ⊆ ∅ ∪ ∩' γ˙ s pointwise extension of the powerset ℘(,), . s s " & ∅' , ℘(, ), , (, , ), ˙ whereα ˙ (f) = • & +−−→ ⊥ ⊆' −←−−−−−α˙−→s →− & +−−→ ∪ {⊥ A} ( ' s s " s λs• α (f(s)) andγ ˙ (f) = λs• γ (f(s))

( Natural τ and deterministic τ A denotational semantics of nondeterministic transition systems τ

w w w ¨¨* b ¨¨* b ¨¨* b ¨ 6 ¨ ¨ ¨¨ ¨¨ ¨¨ Pw P a Pw P a Pw P a PP PP PP Denotational/Functional Pq w c Pq w c Pq w c Deterministic Semantics τ ((a)= b τ ((a)=$b, τ ((a)= b, c { } { ⊥} { } τ A(a)=b τ A(a)=b τ A(a)= A τ A(b)=b τ A(b)=b τ A(b)=b τ A(c)=b τ A(c)= τ A(c)=c ⊥

© P. Cousot 82 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 84 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Fixpoint Denotational/Functional Deterministic The Rôle of A Semantics of a Transition System ,, τ & ' The top element is often eliminated from Scott’s domains by lack • A ( s of intuitive interpretation; " τ s =˙αs(τ ()=α ˙s(lfp( F ()=lfp( F s λs λs We interpret as an abstraction forgetting about nondeterminism. • •{⊥} • ⊥ • A s " s F = λf • λs•( s , : (s τ s )?s f(s ) s τ s ) • ∀ 2 ∈ ¬ 2 | * { 22 | 2} Proof s -- α˙ (λs• )=λs• ; {⊥} ⊥ α˙ s F d = F s α˙ s leads to the definition of F d; -- ◦ ◦ s ss s s s -- α˙ ( ˙ ∞ fi)= ˙ α˙ (fi)leadstothedefinitionofthe -lub ˙ ; *i *i ( * -- F s is monotonic for s; ( -- Kleene’s fixpoint transfer theorem applies. 2

Deterministic Transition System, Scott’s Semantics

If τ is deterministic, then τ , , and • ∈ +−→? s F = λf • λs•(s dom τ ? s τ (s)) (1) ?∈ | is unreachable and can be eliminated from the domain so that s Predicate Transformer Semantics • A ( is exactly Scott ordering.

© P. Cousot 86 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 88 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Nondeterministic Denotational to Predicate Transformer Predicate Transformer Abstractions Abstractions 1 " α− = λf D ℘(E)• λs • s s f(s) If f D ℘(E)): ∈ +−−→ 2 { | 2 ∈ } 1 " ∈ +−−→ γ− = λf E ℘(D)• λs• s2 s f(s2) " : ∪ : " ∈ +−−→ { | ∈ } gsp[[ f]] = α [f] ℘(D) ℘(E) α = λf D ℘(E)• λP ℘(D)• s2 s P : s2 f(s) ∈ +−−→ ∈ +−−→ ∈ { | ∃ ∈ ∈ } = λP ℘(D)• s2 E s P : s2 f(s) : " ∪ γ = λ; ℘(D) ℘(E)• λs• ;( s ) ∈ { ∈ | ∃ ∈ ∈ } " : ∩ " ∈ +−−→ { } gspa[[ f]] = α∼ α [f] ℘(D) ℘(E) ∪ ◦ α∪ = λ; ℘(D) ℘(E)• λQ ℘(E)• s ;( s ) Q = ∈ +−−→ = λP ℘(D)• s E s D : s f(s) s P " ∈ +−−→ ∈ { | { } ∩ ? ∅} 2 2 ∪ " ∈ { ∈ | ∀ ∈ ∈ ⇒ ∈ } γ∪ = λ; ℘(E) ℘(D)• λP ℘(D)• s2 ;( s2 ) P = : 1 ∩ gwp[[ f]] = α∼ α α− [f] ℘(E) ℘(D) " ∈ +−−→ ∈ { | { } ∩ ? ∅} ∪ ◦ ◦ ∈ +−−→ α∼ = λ; ℘(D) ℘(E)• λP ℘(D)• (;( P )) ∈ +−−→ ∈ ¬ ¬ = λQ ℘(E)• s D s2 E : s2 f(s) s2 Q " ∩ ∈ { ∈ | ∀ ∈ ∈ ⇒ ∈ } " : 1 ∪ γ∼ = λ; ℘(E) ℘(D)• λP ℘(D)• (;( P )) gwpa[[ f]] = α α− [f] ℘(E) ℘(D) ∈ +−−→ ∈ ¬ ¬ ◦ " ∩ ∈ +−−→ α∩ = λ< ℘(D) ℘(E)• λQ ℘(E)• s <( s ) Q = E = λQ ℘(E)• s D s Q : s f(s) ∈ +−−→ ∈ { | ¬{ } ∪ } ∈ { ∈ | ∃ 2 ∈ 2 ∈ } " ∩ γ∩ = λ< ℘(E) ℘(D)• λP ℘(D)• s <( s ) P = D ∈ +−−→ ∈ { 2 | ¬{ 2} ∪ }

Galois Connection Commutative Diagram Generalized Weakest Precondition Semantics

" gwp : gwp ( ( gwp γ γ∼ τ = gwp[[ τ ]] = l f p F D ℘(E), ˙ ℘(D) ∪ ℘(E), ˙ ℘(D) ∩ ℘(E), ˙ gwp : • ⊥ & +−→ ⊆' ←−−−−←α & +−−→ ⊆' ←−←−−−α∼ − & +−−→ ⊇' m " −−−−→ → −−−−−→ → gwp gwp gwp % F D D = λ<• λQ•( τˇ Q) ˙ gwp[[ τ ]] < ↑ ↑ ↑ · ◦ • ∈ +−−→ ¬ ∪ ∩ % 1 1 = λ<• λQ•(Q τˇ) ˙ wp[[ τ ]] < α− γ− α∪ γ∪ α∩ γ∩ · ◦ is a gwp-monotone map on the complete∩ lattice∪ Dgwp, gwp, gwp, gwp ( & ( ⊥ * ' ↓ γ: ↓ γ ↓ " ↓ ∪ ↓ ∼ ∩ ↓ E ℘(D), ˙ ℘(E) ℘(D), ˙ ℘(E) ℘(D), ˙ wp[[ f]] Q = s , s2 , : s2 f(s) s2 f(s):s2 Q ←−−−−← : ←−←−−−− & +−→ ⊆' −−−α−→ → & +−−→ ⊆' −−−−α∼−→ → & +−−→ ⊇' • " { ∈ | ∃ ∈ ∈ ∧∀ ∈ ∈ } Dgwp = ℘(, ) ∩ ℘(,), • " ⊥ +−−→ < gwp ; = Q , : ;(Q ) <(Q ) <(,) ;(,),

• gwp( ∀ ⊆ ∪ {⊥} ⊆ ∪ {⊥} ∧ ⊆ = λQ•( Q ? , ) • ⊥ ⊥∈ | ∅ gwp " ;i = λQ• ;i(Q ) ( Q ? ;i(,) ,). • i* " i ∩" ∪ {⊥} ∩ ⊥ ?∈ i ∪" | ∈ ∈ ∈

© P. Cousot 90 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 92 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Dijkstra’s Weakest Conservative Precondition Dijkstra’s Weakest Liberal Precondition Semantics Abstraction

wlp γ " " wp gwp ˙ wlp ˙ wlp ∩ wlp γ " " D , D , where D = ℘(,) ℘(,), α = Dgwp, ˙ Dwp, ˙ where Dwp = ℘(,) ∩ ℘(,), αwp = • & ⊇' −←−−−−−−−αwlp−→ →− & ⊇' +−−→ wp • & ⊇' ←−−−−α − & ⊇' +−−→ wlp " −−−−−→ → λ<• λQ• <(Q )andγ (;) = λQ•( Q ? ;(Q) ); wp " λ<• < ℘(,) and γ (;) = λQ•( Q ? ;(Q) ); " ∪ {⊥} ⊥∈ | ∅ | ⊥ ?∈ | ∅ τ wlp = αwlp(τ gwp)=gwp[[ τ 7]] ; " wp wp gwp wp gwp ' • τ = α (τ )=α ( [[ τ ]] ) ; wlp ⊆ wp • By Kleene ﬁxpoint transfer, τ = λQ• gfp F [[ Q]] . Dikstra’s ﬁxpoint characterization of τ wp is for a given postcondition • , • Q; γQ If Q E then ℘(E) ∩ ℘(D), ˙ ℘(D), where • ⊆ & +−−→ ⊇' −←−−−−−α−→Q →− & ⊇' Q " Q " α (<) = <(Q)andγ (P ) = λR•(Q R ? P ); ⊆ | ∅

Dijkstra’s Weakest Conservative Precondition Semantics Correspondence Between Pre- and Postcondition Semantics From τ wp(Q)=αQ(αwp(τ gwp)) and Kleene ﬁxpoint transfer theorem, we gwp[[ f]] derive: If f D ℘(E)then ℘(D), ℘(E), . ←−−−−−− wp ⊆ wp ∈ +−−→ & ⊆' −−−−−−gsp[[ f]]→ & ⊆' τ (Q)=λQ• lfp F [[ Q]] • ∅ m F wp ℘(,) ℘(,) ℘(,) • ∈ +−−→ +−−→ % " τ· (s) = s2 s τ s2 ; • "{ | } wp % F [[ Q]] = λP •(Q τˇ) wp[[ τ· ]] P • ∩ ∪ % = λP •( τˇ Q) gwp[[ τ· ]] P is a -monotone¬ map∪ on the∩ complete lattice ℘(,), , , ,, , . ⊆ & ⊆ ∅ ∪ ∩'

© P. Cousot 94 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 96 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Galois Connection Commutative Diagram " " 1( α, γ ) = α HA(α) = x, y D( D' α(x) ' y & ' " " {& '∈ × | ( } 2( α, γ ) = γ HC(γ) = x, y D( D' x ( γ(y) & ' {& '∈ × | ( } " ' ( " ' AC(γ) = λx• y x γ(y) AH(H) = λx• y x, y H " 6 { | ( } " 6 { | & '∈ } CA(α) = λy ( x α(x) ' y CH(H) = λy ( x x, y H • * { | ( } • * { | & '∈ } ' ( λα• α, CA(α) ' D(, ( D', ' , ˙ ˙ & ' D(, ( # D', ( , ˙ Axiomatic Semantics && ( ' ←−− & ( ' ( × G ' ←−←−−−−−−−−−1 −&& ( ' +−−→ & ( ' ( ' −−→ @@ −−−−−−−−−−−→ → @ @JJ@ @ @ K ↑ @ @ CA ACK ↑ @ @ @ @ @ @ 2 λγ AC(γ), γ @ @ HA AH • & ' @ @ @ @ @ @ @ @ HC 2 @ AH CH ◦ @ × = HA 1@ @ ◦ @ @ ↓ HH @ ↓ ' CH II D', ' $ D(, ( , ˙ D(, ( D', ' , && ( ' +−−→ & ( ' G ' ←−−←−−−−−−−−−−−→−−−−−−−−−−−HC −→−&& ( '⊗& ( ' ⊇'

Galois Connections, Complete Join/Meet Morphisms Floyd/Hoare/Naur Partial Correctness Semantics and Tensor Product γ ( ( ' ' " ( ( ' ' G. c.: D , D , = α, γ D , D , ; " • & ( ' −−→←−− & ( ' {& ' | & ( ' −←−−−−α→− & ( '} τ pH = HC(τ wlp); ( # ' " ( ' • Complete join morphisms: D D = α D D X τ pH = P, Q ℘(,) ℘(,) I ℘(,):P I I • ( ( ' +−−→ { ∈ +−−→ | ∀ ⊆ D : α( X)= α%(X) ; • %{& '∈ ⊗ | ∃ ∈ ⊆ ∧ ⊆ gwp[[ τ· ]] I (I τˇ) Q . * * } " ∧ ∩ ⊆ } Complete meet morphisms: D' $ D( = γ D' D( • ' ' ( % +−−→ { ∈ +−−→ | Proof By Park ﬁxpoint induction: if D, , , , , is a com Y D : γ( Y )= γ (Y ) ; m & ( ⊥ A * 6' plete lattice, F D D is -monotone and L D then ∀ ⊆ 6 6 } " Tensor products: D(, ( D', ' = H ℘(D( D') (1) ∈ +−−→ ( ∈ • & ( '⊗& ( ' { ∈ × | ∧ lfp( F P ( I : F (I) I I P ). 2 (2) (3) where the conditions are: ⊥ ( ⇐⇒ ∃ ( ∧ ( ∧ }( ' 1. (X X2 X2,Y2 H Y 2 Y ) ( X, Y H); ( ∧& '∈ ∧ (( ⇒ & '∈ 2. ( i " : Xi,Y H) ( Xi,Y H); ∀ ∈ & '∈ ⇒ &*i " '∈ ∈ ( 3. ( i " : X, Yi H) ( X, Yi H). ∀ ∈ & '∈ ⇒ & i6" '∈ ∈ © P. Cousot 98 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 100 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Hoare Logic Manna/Pnueli Total Correctness Logic

- " pH " Hoare triples: P τ ∞ Q = P, Q τ , P τ Q = P - " tH " • % { } { } & '∈ { } { } ⊆ Manna/Pnueli triples: [P ]τ ∞[Q] = P, Q τ ,[P ]τ [Q] = P gwp[[ τ· ]] Q; • & '∈ ⊆ gwp[[ τ%]] Q; Hoare logic: P τ - Q if and only if it derives from the axiom: · ∞ - • { } { } Manna/Pnueli total correctness axiomatic semantics: [P ]τ ∞[Q]if • gwp[[ τ%]] Q τ Q (τ ) and only if it derives from the axiom (τ ), the inference rules ( ), { · } { } ⇒ ( ), ( )andthefollowing: and the following inference rules: ∧ ∨ - - 0 $ δ $ δ β P P 2, P 2 τ ∞ Q2 ,Q2 Q Pi τ ∞ Q ,i " I Q τˇ, I τˇ Q, [I ]τ[ I ] ⊆ { } { } ⊆ ( ) { } { } ∈ ( ) - - ⊆ ∩ δ∧=1 ⊆ ¬ ∪ δ∧=1 β∪<δ - P τ ∞ Q ⇒ P τ ∞ Q ∨ (τ ) i $ - ∞ { } { } {i ∪" } { } [I ]τ ∞[Q] - ∈ P τ ∞ Qi ,i " I τ I { } { } ∈ ( ) { } { } (τ - ) - ∧ - ∞ P τ ∞ Qi I τ ∞ I τˇ { } {i ∩" } { } { ∩ } ∈

Floyd Total Correctness Semantics

" τ tH = HC(τ wp); • τ tH = P, Q ℘(,) ℘(,) $ O : I ($ +1) ℘(,): • {& '∈ ⊗ | ∃ ∈ ∃ ∈ +−−→ δ $ : Iδ ( τˇ Q) gwp[[ τ%]] Iβ P I$ . ∀ ≤ ⊆ ¬ ∪ ∩ · "β∪<δ $ ∧ ⊆ } Floyd (equivalent) verification conditions: Lattice of Semantics • s Iδ : s : (s τ s ) s Q ∀ ∈ ∀ 2 ¬ 2 ∧ ∈ ∨ s : s τ s s : s τ s ( β < δ : s Iβ) ∃ 2 2 ∧∀ 2 2 ⇒ ∃ 2 ∈ Proof By the lower fixpoint induction principle: if D, , , is a m & ( ⊥ *' DCPO , F D D is -monotone, - D satisfies - F ( -)and ∈ +−−→ ( ⊥ ∈ ⊥ ( ⊥ P D then P lfp( F ( $ O : I ($ +1) D : I0 ∈ ( - ⇐⇒ ∃ ∈ ∃ ∈ +−−→ ( - δ :0< δ $ ⊥ Iδ F ( Iζ) P I$). 2 ⊥∧∀ ≤ ⇒ ( ζ*<δ ∧ (

© P. Cousot 102 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 104 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Comparison of Semantics

γ' τ ( D( τ ' D' iﬀ τ ' = α'(τ ()and D(, D', & is a • ∈ ≤ ∈ & ≤' −←−−−−α'→− & ' preorder between semantics; The quotient poset is isomorphic to Ward lattice of upper closure Application to the (Eager) Lambda-Calculus • ' ' - operators γ α on D∞, ; ◦ & ⊆' (Prospective) We get a lattice of semantics which is part of the lattice of abstract • interpretations.

Lattice of Semantics Relational Semantics with Closures

v v Hoare pH HYH ¨¨* tH HH ¨ logics τ H ¨ τ H ¨¨ E e Hv¨ 1 gH E λx e x,e,E M−− ⇒⊥ τ −− v M · ⇒& ' E e (e ) weakest vHY ¨* 1 2 wlp HH ¨¨ wp M−− ⇒⊥ τ HH ¨¨ τ precondition H ¨ Hv¨ D semantics gwp τ A τ τ v v E e x ,e,E v v vvv 1 2 2 2 denotational HY ¨* 7 HH ¨¨ ' S ♦ ! M−− ⇒& ' τ HH ¨¨ τ τ τ τ semantics H ¨ c = x,e,E[f c] E e2 H v¨ v & ← ' M−− ⇒⊥ τ ( EM τ E µf λx e c E e1(e2) relational v 1 v v + HYH ω ¡ M−− · · ⇒ M−− ⇒⊥ 6 H 1v 6 semantics τ HH ∂ τ τ H Hv τ τ ∞ 6 -ω E e1 x2,e2,E2 E e1 x2,e2,E2 v v v trace HY 1 τ: M−− ⇒& ' M−− ⇒& ' +- HH H E e v, v = ? E e v,v = ? semantics τ H τ 2 2 H Hv M−− ⇒ ? M−− ⇒ ? - τ ∞ - abstraction E2[x2 v] e2 r E2[x2 v] e2 equivalence ← M−− ⇒ ← M−− ⇒⊥ E e (e ) r E e (e ) angelic natural demoniac restriction −− 1 2 −− 1 2 deterministicinﬁnite M ⇒ M ⇒⊥

© P. Cousot 106 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 108 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Denotational Semantics α (X V) (X U): • ∈ +−−→ +−−→ +−−→ " α(E) = λx• α(E(x)) u, f, ϕ U ∼= ? A ZA [U U]A values ∈ " { }⊥ ⊕ ⊥ ⊕ +−−→ ⊥ R R = X U environments ∈ " +−−→ φ S = R U semantic domain ∈ +−−→ α ℘((X V) V) ((X U) U): " • ∈ +−−→ × +−−→ +−−→ +−−→ S[[ λx e]] R = λu• (u = ? " · ⊥ ⊥ α(<[[ e]] ) = λR• α( r E : α(E)=R E e r <[[ e]] ) u = ? ? ? { | ∃ ∧ M−− ⇒ ∈ } | S[[ e]] R[x u]) " | ← S[[ e (e )]]R =(S[[ e ]] R = S[[ e ]] R = ? 1 2 1 ⊥∨ 2 ⊥ ⊥ S[[ e ]] R = f [U U]?f S[[ e ]] R | 1 ∈ +−−→ " 2 $ ?) | " ( S[[ µf λx e]] R =lfp λϕ• S[[ λx e]] R[f ϕ] · · · ←

Abstraction Alternative Partitionning of Executions The rules of the relational semantics can be interpreted as least fix • points for the bifinite ordering; We have explored linear time (set of traces) semantics with partition • The abstraction function α ℘(V) U is as follows 21: between finite and infinite traces; • ∈ +−−→ Adifferent partitionning for branching time (tree) semantics would " • α( ) = be states with or without later possibility to branch toward a nonter ∅ " ⊥ α( ) = minating execution. {⊥} " ⊥ α( z )=α( z, ) = z, z Z { } { ⊥} ∈ α( ? ) =" ? { } " α(X) = , otherwise. " A α( x,e,E) = λu U• α( r v V : α( v )=u & ' ∈ { | ∃ ∈ { } ∧ E[x v] e r ) ← M−− ⇒ } 21 Liftinga and injections are omitted.

© P. Cousot 110 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 © P. Cousot 113 MPI-Kolloquium, Max-Planck-Institut für Informatik, Saarbrücken, 2. Juni 1997 Need for semantics at various levels of reﬁnement

Many semantics at diﬀerent levels of abstraction are needed for pro • gram analysis; Auniﬁedframeworkforpresentingallthesesemanticsseemsindis • pensable.

Further Work for Semanticians

Consider realistic practical languages (C++ ,Java,ML,etc); • Consider computable approximations of semantic domains (to be • used in program analysis); Aneedformathematicalfoundationsbutalsoapplicationsofpro • gramming semantics; Alotofworkforfutureappliedsemanticians(likeappliedmathemati • cians).