See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/220690264
Principles of program analysis (2. corr. print).
Book · January 2005
Source: DBLP
CITATIONS READS
116 2,521
3 authors, including:
Chris Hankin
Imperial College London
198 PUBLICATIONS 5,784 CITATIONS
SEE PROFILE
All content following this page was uploaded by Chris Hankin on 09 January 2014.
The user has requested enhancement of the downloaded file.
Principles of Program Analysis
Chris Hankin
thanks to:
Flemming Nielson and Hanne Riis Nielson

Imperial College London

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.1/116

Introduction and Fixed Points

 Introduction

Program analysis is an automatic technique for finding out properties of

programs without having to run them.

Optimising compilers

Automated program verification

Security

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.3/116

Some techniques:

Data Flow Analysis

Control Flow Analysis
Types and Effects Systems
Abstract Interpretation

Book: Principles of Program Analysis by F. Nielson, H.R. Nielson and C.

Hankin, Springer Verlag, 2005 (2nd corrected printing).

A first example:

1
[input n] ;
2
[m := 2] ;

while [n > 1]3 do

[m := m × n]4 ;

[n := n − 1]5 ;

[output m]6 ;

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.5/116

We can statically determine that the value of m at statement 6 will be even

for any input n. A program analysis can determine this by propagating
parity information forwards from the start of the program.

We can assign one of three properties to each variable:

even – the value is known to be even
odd – the value is known to be odd
unknown – the parity of the value is unknown
(Take care of loop)
1: m: unknown n: unknown

2: m: unknown n: unknown

3: m: even n: unknown

4: m: even n: unknown

5: m: even n: unknown

6: m: even n: unknown

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.7/116

The program computes 2 times the factorial of n for any positive value of n.
Replacing statement 2 by:
2
[m := 1] ;
gives a program that computes factorials but then the program analysis is
unable to tell us anything about the parity of m at statement 6.

This is correct because m could be even or odd. However, even if we fix

the input to be positive and even, by some suitable conditional assignment,

the program analysis will still not accurately predict the evenness of m at

statement 6.
This loss of accuracy is a common feature of program analyses: many
properties that we are interested in are essentially undecidable and
therefore we cannot hope to detect them accurately. We have to ensure
that the answers from program analysis are at least safe.
yes means definitely yes, and
no means possibly no.

In the modified factorial program, it is safe to say that the parity of m is

unknown at 6 – it would not be safe to say that m is even.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.9/116

Overview
Efficiency

Control Flow Type and Effect

Analysis Systems

Data Flow Abstract

Analysis Interpretation

Correctness
Introduction – two approaches to correctness
Fixed Points – widening and narrowings
Galois Connections
Induced operations
Abstract interpretation invented by Patrick Cousot and Radhia Cousot in
1977.

strictness analysis (Mycroft, 1981; Burn, Hankin and Abramsky,

1985)
many applications in logic programming
general semantics-based framework applied to many paradigms

We will give a language and semantics independent treatment.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.11/116

A first-order approach

To set the scene, imagine some programming language. Its semantics

identifies some set V of values (like states, closures, double precision
reals) and specifies how a program p transforms one value v1 to another
v2 ; we may write
p ` v1 ; v2

In a similar way, a program analysis identifies the set L of properties (like

shapes of states, abstract closures, lower and upper bounds for reals) and
specifies how a program p transforms one property l1 to another l2 :

p ` l 1  l2

It is customary to require  to be deterministic and thereby define a func-

tion; this will allow us to write fp (l1 ) = l2 to mean p ` l1  l2 .

 Correctness relations

Every program analysis should be correct with respect to the semantics.

For a class of (so-called first-order) program analyses this is established
by directly relating properties to values using a correctness relation:

R : V × L → {true, false}

The intention is that v R l formalises our claim that the value v is described

by the property l.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.13/116

To be useful one has to prove that the correctness relation R is preserved

under computation: if the relation holds between the initial value and the
initial property then it also holds between the final value and the final
property. This may be formulated as the implication

v1 R l 1 ∧ p ` v 1 ; v 2 ∧ p ` l 1  l 2 ⇒ v2 R l 2

A relation R satisfying a condition like this is often called a logical relation

and the implication is sometimes written (p ` · ; ·)(R →

→ R)(p ` ·  ·).
The theory of Abstract Interpretation comes to life when we augment the
set of properties L with a preorder structure and relate this to the
correctness relation R. The most common scenario is when
L = (L, v, t, u, ⊥, >) is a complete lattice with partial ordering v. We
then impose the following relationship between R and L:

v R l 1 ∧ l 1 v l2 ⇒ v R l2 (1)

(∀l ∈ L0 ⊆ L : v R l) ⇒ vR( L0 ) (2)

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.15/116

v R l 1 ∧ l 1 v l2 ⇒ v R l 2

The first condition says that the smaller the property is with respect to
the partial ordering, the better (i.e. more precise) it is.

This is an “arbitrary” decision in the sense that we could instead have

decided that the larger the property is, the better it is, as is indeed the
case in much of the literature on Data Flow Analysis; luckily the
principle of duality from lattice theory tells us that this difference is
only a cosmetic one.
 (∀l ∈ L0 ⊆ L : v R l) ⇒ v R ( L0 )

The second condition says that there is always a best property for
describing a value. This is important for having to perform only one
analysis (using the best property, i.e. the greatest lower bound of the
candidates) instead of several analyses (one for each of the
candidates).

The condition has two immediate consequences:

vR>

v R l1 ∧ v R l 2 ⇒ v R (l1 u l2 )

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.17/116

Representation functions

An alternative approach to the use of a correctness relation

R : V × L → {true, false} between values and properties is to use a
representation function:
β:V →L
The idea is that β maps a value to the best property describing it. The
correctness criterion for the analysis will then be formulated as follows:

β(v1 ) v l1 ∧ p ` v1 ; v2 ∧ p ` l1  l2 ⇒ β(v2 ) v l2

Thus the idea is that if the initial value v1 is safely described by l1 then the

final value v2 will be safely described by the result l2 of the analysis.

 Relations vs functions

We first show how to define a correctness relation Rβ from a given

representation function β:

v Rβ l iff β(v) v l

Next we show how to define a representation function βR from a

correctness relation R:

βR (v) = {l | v R l}

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.19/116

A modest generalisation

We shall conclude this section by performing a modest generalisation of

the development performed so far. A program p specifies how one value
v1 is transformed into another value v2 :

p ` v1 ; v2

Here v1 ∈ V1 and v2 ∈ V2 and we shall subsequently refrain from imposing

the condition that V1 = V2 ; thus we shall allow the programs to have dif-

ferent “argument” and “result” types – for example, this will be the case for

most functional programs.

The analysis of p specifies how a property l1 is transformed into a
property l2 :
p ` l 1  l2

Here l1 ∈ L1 and l2 ∈ L2 and again we shall refrain from imposing the

restriction that L1 = L2 .

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.21/116

Turning to the correctness conditions we shall now assume that we have

two correctness relations, one for V1 and L1 and one for V2 and L2 :

R1 : V1 × L1 → {true, false} generated by β1 : V1 → L1

R2 : V2 × L2 → {true, false} generated by β2 : V2 → L2
Correctness of fp now amounts to

v1 R 1 l 1 ∧ p ` v 1 ; v 2 ⇒ v2 R2 fp (l1 )

for all v1 ∈ V1 , v2 ∈ V2 and l1 ∈ L1 . Using the concept of logical relations

(briefly mentioned above) this can be written as:

(p ` · ; ·) (R1 →
→ R 2 ) fp

To be precise, ; (R1 →
→ R2 ) f means that:

∀v1 , v2 , l1 : v1 ; v2 ∧ v1 R1 l1 ⇒ v2 R2 f (l1 )

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.23/116

Higher-order formulation.

The representation function β can be defined from the representation

functions β1 and β2 and it will be denoted β1 →
→ β2 :
G
(β1 →
→ β2 )(; ) = λl1 . {β2 (v2 ) | β1 (v1 ) v l1 ∧ v1 ; v2 }
Consider the program plus with the semantics given by

plus ` (z1 , z2 ) ; z1 + z2

where z1 , z2 ∈ Z. A very precise analysis might use the complete lattices

(P(Z), ⊆) and (P(Z × Z), ⊆) as follows:

fplus (ZZ ) = {z1 + z2 | (z1 , z2 ) ∈ ZZ }

where ZZ ⊆ Z × Z.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.25/116

Consider now the correctness relations RZ and RZ×Z generated by the

representation functions:

βZ (z) = {z}
βZ×Z (z1 , z2 ) = {(z1 , z2 )}

The correctness of the analysis of plus can now be expressed by

∀z1 , z2 , z, ZZ : plus ` (z1 , z2 ) ; z

∧ (z1 , z2 ) RZ×Z ZZ ⇒ z RZ fplus (ZZ )

or more succinctly

(plus ` · ; ·) (RZ×Z →
→ RZ ) fplus
The representation function βZ×Z →
→ βZ satisfies

(βZ×Z →
→ βZ )(p ` · ; ·) =
λZZ.{z | (z1 , z2 ) ∈ ZZ ∧ p ` (z1 , z2 ) ; z}

so the correctness can also be expressed as (βZ×Z →

→ βZ )(plus ` · ; ·) v

fplus .

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.27/116

The above example illustrates how the abstract concepts can give a more

succinct formulation of the correctness of the analysis. In the following we

shall see several cases where we move freely between what we may call

a “concrete” formulation of a property and an “abstract” formulation of the

same property. And we shall see that the latter often will allow us to reuse

general results so that we do not have to redevelop parts of the theory for

each application considered.

 Aproximating fixed points

We shall now present a complete lattice that may be used for Array Bound
Analysis, i.e. for determining if an array index is always within the bounds
of the array – if this is the case then a number of run-time checks can be
eliminated.
The lattice (Interval, v) of intervals over Z may be described as follows.
The elements are

Interval = {⊥} ∪ {[z1 , z2 ] | z1 ≤ z2 , z1 ∈ Z ∪ {−∞}, z2 ∈ Z ∪ {∞}}

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.29/116

The ordering ≤ on Z is extended to an ordering on Z0 = Z ∪ {−∞, ∞}

by setting −∞ ≤ z, z ≤ ∞, and −∞ ≤ ∞ (for all z ∈ Z).

Intuitively, ⊥ denotes the empty interval and [z1 , z2 ] is the interval

from z1 to z2 including the end points if they are in Z.

We shall use int to range over elements of Interval.

Intuitively int1 v int2 means that {z | z ∈ int1 } ⊆ {z | z ∈ int2 }

 • [-∞,∞]

• [-∞,1] • [-1,∞]
• [-∞,0] • [-2,2] • [0,∞]

• [-∞,-1] • [-2,1] • [-1,2] • [1,∞]

• [-2,0] • [-1,1] • [0,2]

• [-2,-1] • [-1,0] • [0,1] • [1,2]

• [-2,-2] • [-1,-1] • [0,0] • [1,1] •[2,2]

• ⊥

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.31/116

To give a succinct definition of the partial ordering we define the infimum

and supremum operations on intervals as follows:
(
∞ if int = ⊥
inf(int) =
z1 if int = [z1 , z2 ]

(
−∞ if int = ⊥
sup(int) =
z2 if int = [z1 , z2 ]

This allows us to define:

int1 v int2 iff inf(int2 ) ≤ inf(int1 ) ∧ sup(int1 ) ≤ sup(int2 )

Given a complete lattice L = (L, v, t, u, ⊥, >) the effect of a
program, p, in transforming one property, l1 , into another, l2 ,
i.e. p ` l1  l2 , is normally given by an equation

f (l1 ) = l2

for a monotone function f : L → L dependent on the program p.

Note that the demand that f is monotone is very natural for program
analysis; it merely says that if l10 describes at least the values that l1
does then also f (l10 ) describes at least the values that f (l1 ) does.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.33/116

For recursive or iterative program constructs we ideally want to obtain

the least fixed point, lfp(f ), as the result of a finite iterative process.

However, the iterative sequence (f n (⊥))n need not eventually

stabilise nor need its least upper bound necessarily equal lfp(f ).

This might suggest considering the iterative sequence (f n (>))n and,

even when it does not eventually stabilise, we can always terminate
the iteration at an arbitrary point in time. While this is safe it turns out
to be grossly imprecise in practice.
 A fixed point of f is an element l ∈ L such that f (l) = l and we write

Fix(f ) = {l | f (l) = l}

for the set of fixed points.

The function f is reductive at l if and only if f (l) v l and we write

Red(f ) = {l | f (l) v l}

for the set of elements upon which f is reductive; we shall say that f
itself is reductive if Red(f ) = L.
Similarly, the function f is extensive at l if and only if f (l) w l and we
write
Ext(f ) = {l | f (l) w l}

for the set of elements upon which f is extensive; we shall say that f
itself is extensive if Ext(f ) = L.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.35/116

Since L is a complete lattice it is always the case that the set Fix(f ) will
have a greatest lower bound in L and we denote it by lfp(f ); this is actually
the least fixed point of f because Tarski’s Theorem ensures that:

lfp(f ) = Fix(f ) = Red(f ) ∈ Fix(f ) ⊆ Red(f )

Similarly, the set Fix(f ) will have a least upper bound in L and we denote it
by gfp(f ); this is actually the greatest fixed point of f because Tarski’s
Theorem ensures that:
G G
gfp(f ) = Fix(f ) = Ext(f ) ∈ Fix(f ) ⊆ Ext(f )
In Denotational Semantics it is customary to iterate to the least fixed point
by taking the least upper bound of the sequence (f n (⊥))n . However, we
have
F not imposed
F any continuity requirements on f (e.g. that
f ( n ln ) = n (f (ln )) for all ascending chains (ln )n ) and consequently we
cannot be sure to actually reach the fixed point. In a similar way one could
consider the greatest lower bound of the sequence (f n (>))n . One can
show that
G
n n
f (⊥) v n f (⊥) v lfp(f ) v

n
gfp(f ) v nf (>) v f n (>)

indeed all inequalities (i.e. v) can be strict (i.e. 6=).

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.37/116

Widenings

Since we cannot guarantee that the iterative sequence (f n (⊥))n

eventually stabilises nor that its least upper bound necessarily equals
lfp(f ), we must consider another way of approximating lfp(f ).

n
The idea is now to replace it by a new sequence (f∇ )n that is known to

eventually stabilise and to do so with a value that is a safe (upper) approx-

imation of the least fixed point. The construction of the new sequence is

parameterised on the operator ∇, called a widening operator; the precision

of the approximated fixed point as well as the cost of computing it depends

on the actual choice of widening operator.

In preparation for the development, an operator ť : L × L → L on a
complete lattice L = (L, v) is called an upper bound operator if

l1 v (l1 ť l2 ) w l2

for all l1 , l2 ∈ L, i.e. it always returns an element larger than both its ar-

guments. Note that we do not require ť to be monotone, commutative,

associative, nor absorptive (i.e. that l ť l = l).

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.39/116

Let (ln )n be a sequence of elements of L and let φ : L × L → L be a total

function on L. We shall now use φ to construct a new sequence (lnφ )n
defined by:

 ln if n = 0
φ
ln =
 lφ φ l if n > 0
n−1 n

The following result expresses that any sequence can be turned into an
ascending chain by an upper bound operator:

If (ln )n is a sequence and ť is an upper bound operator then (lnť )n is an

ascending chain; furthermore lnť w {l0 , l1 , · · · , ln } for all n.

F
Consider the complete lattice (Interval, v) and let int be an arbitrary but
int
fixed element of Interval. Consider the following operator ť defined on
Interval:
(
int int1 t int2 if int1 v int ∨ int2 v int1
int1 ť int2 =
[−∞, ∞] otherwise

Note that the operation is not symmetric: for int = [0, 2] we e.g. have
int int
[1, 2]ť [2, 3] = [1, 3] whereas [2, 3]ť [1, 2] = [−∞, ∞].

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.41/116

int
It is immediate that ť is an upper bound operator. Consider now the
sequence:
[0, 0], [1, 1], [2, 2], [3, 3], [4, 4], [5, 5], · · ·
If int = [0, ∞], then the upper bound operator will transform the above
sequence into the ascending chain:

[0, 0], [0, 1], [0, 2], [0, 3], [0, 4], [0, 5], · · ·

However, if int = [0, 2], then we will get the following ascending chain

[0, 0], [0, 1], [0, 2], [0, 3], [−∞, ∞], [−∞, ∞], · · ·

which eventually stabilises.

We can now introduce a special class of upper bound operators that will
help us to approximate the least fixed points: An operator ∇ : L × L → L
is a widening operator if and only if:
it is an upper bound operator, and
for all ascending chains (ln )n the ascending chain (ln∇ )n eventually
stabilises.
The idea is as follows: Given a monotone function f : L → L on a
complete lattice L and given a widening operator ∇ on L, we shall
n
calculate the sequence (f∇ )n defined by


 ⊥ if n = 0

n n−1 n−1 n−1
f∇ = f∇ if n > 0 ∧ f (f∇ ) v f∇


 n−1 n−1
f∇ ∇ f (f∇ ) otherwise

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.43/116

For any upper bound operator:

n
(i) the sequence (f∇ )n is an ascending chain;
m m n
(ii) if f (f∇ ) v f∇ for some m then the sequence (f∇ )n eventually
n m
F n m
stabilises and furthermore ∀n > m : f∇ = f∇ and n f∇ = f∇ ;
n
(iii) if (f∇ )n eventually stabilises then there exists an m such that
m m
f (f∇ ) v f∇ ; and
n
F n
(iv) if (f∇ )n eventually stabilises then n f∇ w lfp(f ).
n
Moreover, if ∇ is a widening operator then the ascending chain (f∇ )n
eventually stabilises.
Consider the complete lattice (Interval, v). Let K be a finite set of integers,
e.g. the set of integers explicitly mentioned in a given program. We shall
now define a widening operator ∇K based on K. The idea is that
[z1 , z2 ] ∇K [z3 , z4 ] is something like

[ LB(z1 , z3 ) , UB(z2 , z4 ) ]

where LB(z1 , z3 ) ∈ {z1 } ∪ K ∪ {−∞} is the best possible lower bound and

UB(z2 , z4 ) ∈ {z2 } ∪ K ∪ {∞} is the best possible upper bound. In this way

a change in any of the bounds of the interval [z1 , z2 ] can only take place in

a finite number of steps (corresponding to the elements of K).

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.45/116

For the precise definition we let zi ∈ Z0 = Z ∪ {−∞, ∞} and write:


 z1
 if z1 ≤ z3
LBK (z1 , z3 ) = k if z3 < z1 ∧ k = max{k ∈ K | k ≤ z3 }

 −∞ if z < z ∧ ∀k ∈ K : z < k
3 1 3

 z2 if z4 ≤ z2

UBK (z2 , z4 ) = k if z2 < z4 ∧ k = min{k ∈ K | z4 ≤ k}

 ∞ if z < z ∧ ∀k ∈ K : k < z
2 4 4
We can now define ∇ = ∇K by:

 ⊥
 if int1 = int2 = ⊥
int1 ∇ int2 = [ LBK (inf(int1 ), inf(int2 )), UBK (sup(int1 ), sup(int2 )) ]

 otherwise

As an example consider the ascending chain (intn )n :

[0, 1], [0, 2], [0, 3], [0, 4], [0, 5], [0, 6], [0, 7], · · ·

and assume that K = {3, 5}. Then (int∇

n )n will be the chain

[0, 1], [0, 3], [0, 3], [0, 5], [0, 5], [0, ∞], [0, ∞], · · ·

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.47/116

Narrowings

Using the technique of widening we managed to arrive at an upper

m
approximation f∇ of the least fixed point of f .
m m m
However, we have f (f∇ ) v f∇ so f is reductive at f∇ and this
immediately suggests a way of improving the approximation by
considering the iterative sequence (f n (f∇m
))n .
m
Since f∇ ∈ Red(f ) this will be a descending chain with
f (f∇ ) ∈ Red(f ) and hence f n (f∇
n m m
) w lfp(f ) for all n.

Once again we have no reason to believe that this descending chain

eventually stabilises although it is of course safe to stop at an
arbitrary point.
An operator ∆ : L × L → L is a narrowing operator if:
l2 v l1 ⇒ l2 v (l1 ∆ l2 ) v l1 for all l1 , l2 ∈ L, and
for all descending chains (ln )n the sequence (ln∆ )n eventually
stabilises.

Note that we do not require ∆ to be monotone, commutative, associative

or absorptive. One can show that (ln∆ )n is a descending chain when (ln )n

is a descending chain.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.49/116

m m m m
For f∇ satisfying f (f∇ ) v f∇ , i.e. lfp∇ (f ) = f∇ , we now construct the
sequence ([f ]n∆ )n by


m
 f∇ if n = 0
[f ]n∆ =
 [f ]n−1 ∆ f ([f ]n−1 ) if n > 0
∆ ∆
 m m
If ∆ is a narrowing operator and f (f∇ ) v f∇ then ([f ]n∆ )n is a
descending chain in Red(f ) and

[f ]n∆ w f n (f∇
m
) w lfp(f )

for all n.
m m
If ∆ is a narrowing operator and f (f∇ ) v f∇ then the descending
n
chain ([f ]∆ )n eventually stabilises.
It is important to stress that narrowing operators are not the dual
n
concept of widening operators. In particular, the sequence (f∇ )n may
step outside Ext(f ) in order to end in Red(f ), whereas the sequence
([f ]n∆ )n stays in Red(f ) all the time.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.51/116

Consider the complete lattice (Interval, v). Basically there are two kinds of
infinite descending chains in Interval: those with elements of the form
[−∞, z] and those with elements of the form [z, ∞] where z ∈ Z. Consider
an infinite sequence of the latter form; it will have elements

[z1 , ∞], [z2 , ∞], [z3 , ∞], · · ·

where z1 < z2 < z3 < · · ·. The idea is now to define a narrowing operator

∆N that will force the sequence to stabilise when zi ≥ N for some fixed

non-negative integer N . Similarly, for a descending chain with elements

of the form [−∞, zi ] the narrowing operator will force it to stabilise when

zi ≤ −N .
Formally, we shall define ∆ = ∆N by
(
⊥ if int1 = ⊥ ∨ int2 = ⊥
int1 ∆ int2 =
[z1 , z2 ] otherwise

where
(
inf(int1 ) if N < inf(int2 ) ∧ sup(int2 ) = ∞
z1 =
inf(int2 ) otherwise
(
sup(int1 ) if inf(int2 ) = −∞ ∧ sup(int2 ) < −N
z2 =
sup(int2 ) otherwise

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.53/116

So consider e.g. the infinite descending chain ([n, ∞])n

[0, ∞], [1, ∞], [2, ∞], [3, ∞], [4, ∞], [5, ∞], · · ·

and assume that N = 3. Then the operator will give the sequence
([n, ∞]∆ )n :
[0, ∞], [1, ∞], [2, ∞], [3, ∞], [3, ∞], [3, ∞], · · ·
 Galois Connections

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.55/116

Galois connections

Sometimes calculations on a complete lattice L may be too costly or even

uncomputable and this may motivate replacing L by a simpler lattice M .
An example is when L is the powerset of integers and M is a lattice of
intervals.
To express the relationship between L and M it is customary to use an
abstraction function
α:L→M
and a concretisation function

γ:M →L
We shall write
(L, α, γ, M )
or γ

L
- M
α
We define (L, α, γ, M ) to be a Galois connection between the complete
lattices (L, v) and (M, v) if and only if
α : L → M and γ : M → L are monotone functions
that satisfy:
γ◦α w λl.l
α◦γ v λm.m

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.57/116

Let P(Z) = (P(Z), ⊆) be the complete lattice of sets of integers and let
Interval = (Interval, v) be the complete lattice of intervals. We shall now
define a Galois connection

(P(Z), αZI , γZI , Interval)

between P(Z) and Interval.

The concretisation function γZI : Interval → P(Z) is defined by

γZI (int) = {z ∈ Z | inf(int) ≤ z ≤ sup(int)}

Thus γZI will extract the set of elements described by the interval,

e.g. γZI ([0, 3]) = {0, 1, 2, 3} and γZI ([0, ∞]) = {z ∈ Z | z ≥ 0}.
The abstraction function αZI : P(Z) → Interval is defined by
(
⊥ if Z = ∅
αZI (Z) =
[inf 0 (Z), sup0 (Z)] otherwise

Where, if Z 0 = Z ∪ {−∞, ∞} and inf 0 and sup0 are the corresponding

infimum and supremum operators. For example, inf 0 (∅) = ∞, inf 0 (Z) = z 0 if
z 0 ∈ Z is the least element of Z, and inf 0 (Z) = −∞ otherwise.

Thus αZI will determine the smallest interval that includes all the elements

of the set, e.g. αZI ({0, 1, 3}) = [0, 3] and αZI ({2 ∗ z | z > 0}) = [2, ∞].

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.59/116

Adjunctions

We define (L, α, γ, M ) to be an adjunction between complete lattices

L = (L, v) and M = (M, v) if and only if

α : L → M and γ : M → L are total functions

that satisfy
α(l) v m ⇔ l v γ(m)

for all l ∈ L and m ∈ M .

 Extraction functions

We shall now see that representation functions can be used to define

Galois connections. So consider once again the representation function
β : V → L mapping the values of V to the properties of the complete
lattice L. It gives rise to a Galois connection

(P(V ), α, γ, L)

between P(V ) and L where the abstraction and concretisation functions

are defined by
α(V 0 ) = {β(v) | v ∈ V 0 }
F

γ(l) = {v ∈ V | β(v) v l}

for V 0 ⊆ V and l ∈ L.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.61/116

Let us pause for a minute to see that this indeed defines an adjunction:

α(V 0 ) v l {β(v) | v ∈ V 0 } v l
F
⇔
⇔ ∀v ∈ V 0 : β(v) v l
⇔ V 0 ⊆ γ(l)

It is also immediate that α({v}) = β(v) as illustrated by the diagram:

γ

P(V ) - L
α
I 
{·} β

V
A special case of the above construction that is frequently useful is when
L = (P(D), ⊆) for some set D and we have an extraction function:
η : V → D.
We will then define the representation function βη : V → P(D) by
βη (v) = {η(v)} and the Galois connection between P(V ) and P(D) will
now be written
(P(V ), αη , γη , P(D))
where

αη (V 0 ) = {βη (v) | v ∈ V 0 } = {η(v) | v ∈ V 0 }

S

γη (D0 ) = {v ∈ V | βη (v) ⊆ D 0 } = {v | η(v) ∈ D 0 }

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.63/116

The relationship between η, βη , αη and γη is illustrated by the diagram:

γη

P(V ) - P(D)
αη
*
6 6
{·} β {·}
η

η -
V D
Let us consider the two complete lattices (P(Z), ⊆) and (P(Sign), ⊆)
where Sign = {-, 0, +}.

• {-, 0, +}

• {-,0} • {-,+} • {0,+}

• {-} • {0} • {+}

• ∅

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.65/116

The extraction function

sign : Z → Sign
simply defines the signs of the integers and is specified by:

 - if z < 0

sign(z) = 0 if z = 0

 + if z > 0
The above construction then gives us a Galois connection

(P(Z), αsign , γsign , P(Sign))

with
αsign (Z) = {sign(z) | z ∈ Z}
γsign (S) = {z ∈ Z | sign(z) ∈ S}
where Z ⊆ Z and S ⊆ Sign.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.67/116

Properties of Galois Connections

If (L, α, γ, M ) is a Galois connection then:

F
(i) α uniquely determines γ by γ(m) = {l | α(l) v m} and γ uniquely
determines α by α(l) = {m | l v γ(m)}.
(ii) α is completely additive and γ is completely multiplicative.
In particular α(⊥) = ⊥ and γ(>) = >.

If (L, α, γ, M ) is a Galois connection then α ◦ γ ◦ α = α and γ ◦ α ◦ γ = γ.

If there is a Galois connection (L, α, γ, M ) between L and M then we can
construct a correctness relation between V and M and a representation
function from V to M .
Let us first focus on the correctness relation. So let
R : V × L → {true, false} be a correctness relation. Further let (L, α, γ, M )
be a Galois connection between the complete lattices L and M . It is then
natural to define S : V × M → {true, false} by

v S m iff v R (γ(m))

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.69/116

Continuing the above line of reasoning assume now that R is generated

by the representation function β : V → L, i.e. v R l ⇔ β(v) v l. Since
(L, α, γ, M ) is a Galois connection and hence an adjunction we may
calculate

vSm ⇔ v R (γ(m))
⇔ β(v) v γ(m)
⇔ (α ◦ β)(v) v m

showing that S is generated by α ◦ β : V → M .

 Galois insertions

For a Galois connection (L, α, γ, M ) there may be several elements of M

that describe the same element of L, i.e. γ need not be injective, and this
means that M may contain elements that are not relevant for the
approximation of L.
The concept of Galois insertion is intended to rectify this: (L, α, γ, M ) is a
Galois insertion between the complete lattices L = (L, v) and
M = (M, v) if and only if

α : L → M and γ : M → L are monotone functions

that satisfy:

γ◦α w λl.l

α◦γ = λm.m

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.71/116

Returning to our earlier example,

(P(Z), αZI , γZI , Interval)

is indeed a Galois insertion: we start with an interval, use γZI to determine

the set of integers it describes and next use αZI to determine the smallest

interval containing this set and we get exactly the same interval as we

started with.
For a Galois connection (L, α, γ, M ) the following claims are equivalent:

(i) (L, α, γ, M ) is a Galois insertion;

(ii) α is surjective: ∀m ∈ M : ∃l ∈ L : α(l) = m;
(iii) γ is injective:
∀m1 , m2 ∈ M : γ(m1 ) = γ(m2 ) ⇒ m1 = m2 ; and
(iv) γ is an order-similarity: ∀m1 , m2 ∈ M :
γ(m1 ) v γ(m2 ) ⇔ m1 v m2 .

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.73/116

Consider the complete lattices (P(Z), ⊆) and (P(Sign × Parity), ⊆) where

Sign = {-, 0, +} as before and Parity = {odd, even}. Define the extraction
function signparity : Z → Sign × Parity by:
(
(sign(z), odd) if z is odd
signparity(z) =
(sign(z), even) if z is even

This gives rise to a Galois connection (P(Z), αsignparity , γsignparity , P(Sign ×

Parity)). The property (0, odd) describes no integers so clearly signparity is

not surjective and we have an example of a Galois connection that is not a

Galois insertion.
 Construction of Galois insertions

Given a Galois connection (L, α, γ, M ) it is always possible to obtain a

Galois insertion by enforcing that the concretisation function γ is injective.
Basically, this amounts to removing elements from the complete lattice M
using a reduction operator, ς : M → M , defined from the Galois
connection.
Let (L, α, γ, M ) be a Galois connection and define the reduction operator
ς : M → M by
ς(m) = {m0 | γ(m) = γ(m0 )}

Then ς[M ] = ({ς(m) | m ∈ M }, vM ) is a complete lattice and

(L, α, γ, ς[M ]) is a Galois insertion.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.75/116

Systematic design of Galois connections

When developing a program analysis it is often useful to do so in stages:

The starting point will typically be a complete lattice (L0 , v) fairly closely
related to the semantics; an example is (P(V ), ⊆). We may then decide to
use a more approximate set of properties and introduce the complete
lattice (L1 , v) related to L0 by a Galois connection (L0 , α1 , γ1 , L1 ). This
step can then be repeated any number of times: We replace one
complete lattice Li of properties with a more approximate complete lattice
(Li+1 , v) related to Li by a Galois connection (Li , αi+1 , γi+1 , Li+1 ). So
the situation can be depicted as follows:
γ1 γ2 γ3 γk
   
L0 - L1 - L2 - ··· - Lk
α1 α2 α3 αk
One of the components in the Array Bound Analysis is concerned with ap-

proximating the difference in magnitude between two numbers (typically the

bound and the index). We shall proceed in two stages: First we shall ap-

proximate pairs (z1 , z2 ) of integers by their difference in magnitude |z1| − |z2|

and next we shall further approximate this difference using a finite lattice.

The two Galois connections will be defined by extraction functions and they

will then be combined by taking their functional composition.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.77/116

The first stage is specified by the Galois connection

(P(Z × Z), αdiff , γdiff , P(Z))

where diff : Z × Z → Z is the extraction function calculating the difference

in magnitude:
diff(z1 , z2 ) = |z1| − |z2|

The abstraction and concretisation functions αdiff and γdiff will then be

αdiff (ZZ) = {|z1| − |z2| | (z1 , z2 ) ∈ ZZ}

γdiff (Z) = {(z1 , z2 ) | |z1| − |z2| ∈ Z}

for ZZ ⊆ Z × Z and Z ⊆ Z.
The second stage is specified by the Galois connection

(P(Z), αrange , γrange , P(Range))

where Range = {<-1, -1, 0, +1, >+1}. The extraction function

range : Z → Range clarifies the meaning of the elements of Range:



 <-1 if z < −1
if z = −1

 -1


range(z) = 0 if z =0




 +1 if z =1

>+1 if z >1

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.79/116

The abstraction and concretisation functions αrange and γrange will then be

αrange (Z) = {range(z) | z ∈ Z}

γrange (R) = {z | range(z) ∈ R}

for Z ⊆ Z and R ⊆ Range.

We then have that the functional composition

(P(Z × Z), αR , γR , P(Range))

where αR = αrange ◦ αdiff and γR = γdiff ◦ γrange , is a Galois connection.

We obtain the following formulae for the abstraction and concretisation
functions:

αR (ZZ) = {range(|z1| − |z2|) | (z1 , z2 ) ∈ ZZ}

γR (R) = {(z1 , z2 ) | range(|z1| − |z2|) ∈ R}

This is the Galois connection specified by the extraction function range ◦ diff :

Z × Z → Range.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.81/116

The final act

 A catalogue

The first techniques we shall consider are applicable when we have

several analyses of individual components of a structure and we
want to combine them into a single analysis.

We shall then look at constructions for function spaces.

Finally, we shall present techniques for combining several analyses

of the same structure.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.83/116

Independent Attribute Method

Let (L1 , α1 , γ1 , M1 ) and (L2 , α2 , γ2 , M2 ) be Galois connections. The

independent attribute method will then give rise to a Galois connection

(L1 × L2 , α, γ, M1 × M2 )

where:

α(l1 , l2 ) = (α1 (l1 ), α2 (l2 ))

γ(m1 , m2 ) = (γ1 (m1 ), γ2 (m2 ))

The Array Bound Analysis will contain a component that performs a
Detection of Signs Analysis on pairs of integers. As a starting point, we
take the Galois connection

(P(Z), αsign , γsign , P(Sign))

specified by the extraction function sign.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.85/116

It can be used to analyse both components of a pair of integers so using

the independent attribute method we will get a Galois connection

(P(Z) × P(Z), αSS , γSS , P(Sign) × P(Sign))

where αSS and γSS are given by

αSS (Z1 , Z2 ) = ({sign(z) | z ∈ Z1 }, {sign(z) | z ∈ Z2 })

γSS (S1 , S2 ) = ({z | sign(z) ∈ S1 }, {z | sign(z) ∈ S2 })

where Zi ⊆ Z and Si ⊆ Sign.

In general the independent attribute method often leads to imprecision.

An expression like (x,-x) in the source language may have a value in

{(z, −z) | z ∈ Z} but in the present setting where we use P(Z) × P(Z) to

represent sets of pairs of integers we cannot do better than representing

{(z, −z) | z ∈ Z} by (Z, Z) and hence the best property describing it will

be αSS (Z, Z) = ({-, 0, +}, {-, 0, +}). Thus we lose all information about the

relative signs of the two components.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.87/116

The Relational method

Let (P(V1 ), α1 , γ1 , P(D1 )) and (P(V2 ), α2 , γ2 , P(D2 )) be Galois

connections. The relational method will give rise to the Galois connection

(P(V1 × V2 ), α, γ, P(D1 × D2 ))

where
[
α(VV ) = {α1 ({v1 }) × α2 ({v2 }) | (v1 , v2 ) ∈ VV }
γ(DD) = {(v1 , v2 ) | α1 ({v1 }) × α2 ({v2 }) ⊆ DD}

where VV ⊆ V1 × V2 and DD ⊆ D1 × D2 .
It is instructive to see how the relational method is simplified if the Galois
connections (P(Vi ), αi , γi , P(Di )) are given by extraction functions
ηi : Vi → Di , i.e. if αi (Vi0 ) = {ηi (vi ) | vi ∈ Vi0 } and
γi (Di0 ) = {vi | ηi (vi ) ∈ Di0 }. We then have

α(VV ) = {(η1 (v1 ), η2 (v2 )) | (v1 , v2 ) ∈ VV }

γ(DD) = {(v1 , v2 ) | (η1 (v1 ), η2 (v2 )) ∈ DD}

which also can be obtained directly from the extraction function η : V 1 ×

V2 → D1 × D2 defined by η(v1 , v2 ) = (η1 (v1 ), η2 (v2 )).

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.89/116

The relational method can be used to construct a more precise analysis.

We will now get a Galois connection

(P(Z × Z), αSS0 , γSS0 , P(Sign × Sign))

where αSS0 and γSS0 are given by

αSS0 (ZZ) = {(sign(z1 ), sign(z2 )) | (z1 , z2 ) ∈ ZZ}

γSS0 (SS) = {(z1 , z2 ) | (sign(z1 ), sign(z2 )) ∈ SS}

where ZZ ⊆ Z × Z and SS ⊆ Sign × Sign. This corresponds to us-

ing an extraction function twosigns0 : Z × Z → Sign × Sign given by

twosigns0 (z1 , z2 ) = (sign(z1 ), sign(z2 )).

Once again consider the expression (x,-x) in the source language that

has a value in {(z, −z) | z ∈ Z}. In the present setting {(z, −z) | z ∈ Z}

is an element of P(Z × Z) and it is described by the set αSS0 ({(z, −z) |

z ∈ Z}) = {(-, +), (0, 0), (+, -)} of P(Sign × Sign). Hence the information

about the relative signs of the two components is preserved.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.91/116

Total function space

Let (L, α, γ, M ) be a Galois connection and let S be a set. Then we obtain

a Galois connection
(S → L, α0 , γ 0 , S → M )
by taking

α0 (f ) = α ◦ f
γ 0 (g) = γ◦g

L
α - M L  γ
M
I  I 
f α0 (f ) γ 0 (g) g

S S
 Monotone function space.

Let (L1 , α1 , γ1 , M1 ) and (L2 , α2 , γ2 , M2 ) be Galois connections. Then we

obtain the Galois connection (L1 → L2 , α, γ, M1 → M2 ) by taking

α(f ) = α2 ◦ f ◦ γ1
γ(g) = γ2 ◦ g ◦ α1
f γ(g)
L1 - L2 L1 - L2

6 6
γ1 α2 α1 γ2
? ?
M1 - M2 M1 - M2
α(f ) g

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.93/116

So far our constructions have shown how to combine Galois connections

dealing with individual components of the data into Galois connections

dealing with composite data. We shall now show how two analyses deal-

ing with the same data can be combined into one analysis; this amounts

to performing two analyses in parallel. We shall consider two variants of

this analysis, one “corresponding” to the independent attribute method and

one “corresponding” to the relational method.

 Direct product

Let (L, α1 , γ1 , M1 ) and (L, α2 , γ2 , M2 ) be Galois connections. The direct

product of the two Galois connections will be the Galois connection

(L, α, γ, M1 × M2 )

where α and γ are given by:

α(l) = (α1 (l), α2 (l))

γ(m1 , m2 ) = γ1 (m1 ) u γ2 (m2 )

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.95/116

Let us consider how this construction can be used to combine the

detection of signs analysis for pairs of integers with the analysis of
difference in magnitude.
We get the Galois connection

(P(Z × Z), αSSR , γSSR , P(Sign × Sign) × P(Range))

where αSSR and γSSR are given by:

αSSR (ZZ) = ({(sign(z1 ), sign(z2 )) | (z1 , z2 ) ∈ ZZ},

{range(|z1| − |z2|) | (z1 , z2 ) ∈ ZZ})
γSSR (SS, R) = {(z1 , z2 ) | (sign(z1 ), sign(z2 )) ∈ SS}
∩{(z1 , z2 ) | range(|z1| − |z2|) ∈ R}
Note that the expression (x, 3*x) in the source language has a value

in {(z, 3 ∗ z) | z ∈ Z} which is described by αSSR ({(z, 3 ∗ z) | z ∈ Z}) =

({(-, -), (0, 0), (+, +)}, {0, <-1}). Thus we do not exploit the fact that if the

pair is described by (0, 0) then the difference in magnitude will indeed be

described by 0 whereas if the pair is described by (-, -) or (+, +) then the

difference in magnitude will indeed be described by <-1.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.97/116

Direct tensor product

It is possible to do better by letting the two components interact with one

another. Again we shall only consider the simple case of powersets so let
(P(V ), αi , γi , P(Di )) be Galois connections. Then the direct tensor
product is the Galois connection

(P(V ), α, γ, P(D1 × D2 ))

where α and γ are defined by:

[
0
α(V ) = {α1 ({v}) × α2 ({v}) | v ∈ V 0 }
γ(DD) = {v | α1 ({v}) × α2 ({v}) ⊆ DD}

where V 0 ⊆ V and DD ⊆ D1 × D2 .
We will now get a Galois connection

(P(Z × Z), αSSR0 , γSSR0 , P(Sign × Sign × Range))

where

αSSR0 (ZZ) = {(sign(z1 ), sign(z2 ), range(|z1| − |z2|))

| (z1 , z2 ) ∈ ZZ}
γSSR0 (SSR) = {(z1 , z2 )
| (sign(z1 ), sign(z2 ), range(|z1| − |z2|)) ∈ SSR}

for ZZ ⊆ Z × Z and SSR ⊆ Sign × Sign × Range.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.99/116

Reduced product and tensor product

Let (L, α1 , γ1 , M1 ) and (L, α2 , γ2 , M2 ) be Galois connections. Then the

reduced product is the Galois insertion

(L, α, γ, ς[M1 × M2 ])

where

α(l) = (α1 (l), α2 (l))

γ(m1 , m2 ) = γ1 (m1 ) u γ2 (m2 )

ς(m1 , m2 ) = {(m01 , m02 ) | γ1 (m1 ) u γ2 (m2 )

= γ1 (m01 ) u γ2 (m02 )}
Next let (P(V ), αi , γi , P(Di )) be Galois connections for i = 1, 2. Then the
reduced tensor product is the Galois insertion

(P(V ), α, γ, ς[P(D1 × D2 )])

where
[
α(V 0 ) = {α1 ({v}) × α2 ({v}) | v ∈ V 0 }
γ(DD) = {v | α1 ({v}) × α2 ({v}) ⊆ DD}
\
ς(DD) = {DD0 | γ(DD) = γ(DD0 )}

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.101/116

We noted that the complete lattice P(Sign × Sign × Range) contains more
than one element that describes the empty set of P(Z × Z). The function
ςSSR0 will amount to

ςSSR0 (SSR) = {SSR0 | γSSR0 (SSR)

T

= γSSR0 (SSR0 )}

where SSR, SSR0 ⊆ Sign × Sign × Range.

In particular, ςSSR0 will map the singleton sets constructed from the 16
elements

(-, 0, <-1), (-, 0, -1), (-, 0, 0),

(0, -, 0), (0, -, +1), (0, -, >+1),
(0, 0, <-1), (0, 0, -1), (0, 0, +1), (0, 0, >+1),
(0, +, 0), (0, +, +1), (0, +, >+1),
(+, 0, <-1), (+, 0, -1), (+, 0, 0)

to the empty set.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.103/116

The remaining 29 elements of Sign × Sign × Range are

(-, -, <-1), (-, -, -1), (-, -, 0), (-, -, +1), (-, -, >+1),
(-, 0, +1), (-, 0, >+1),
(-, +, <-1), (-, +, -1), (-, +, 0), (-, +, +1), (-, +, >+1),
(0, -, <-1), (0, -, -1), (0, 0, 0), (0, +, <-1), (0, +, -1),
(+, -, <-1), (+, -, -1), (+, -, 0), (+, -, +1), (+, -, >+1),
(+, 0, +1), (+, 0, >+1),
(+, +, <-1), (+, +, -1), (+, +, 0), (+, +, +1), (+, +, >+1)

and they describe disjoint subsets of Z × Z. Let us call the above set of 29

elements for AB (for Array Bound); then ςSSR0 [P(Sign × Sign × Range)] is

isomorphic to P(AB).
To conclude the development of the complete lattice and the associated
Galois connection for the Array Bound Analysis we shall simply construct
the reduced tensor product of the Galois connections. This will yield a
Galois insertion isomorphic to

(P(Z × Z), αSSR0 , γSSR0 , P(AB))

Note that from an implementation point of view the last step of the con-

struction has paid off: if we had stopped with the direct tensor product then

the properties would need 45 bits for their representation whereas now 29

bits suffice.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.105/116

Summary. The Array Bound Analysis has been designed from three simple
Galois connections specified by extraction functions:
(i) an analysis approximating integers by their sign,
(ii) an analysis approximating pairs of integers by their difference in
magnitude, and
(iii) an analysis approximating integers by their closeness to 0, 1 and -1.
We have illustrated different ways of combining these analyses:
(iv) the relational product of analysis (i) with itself,
(v) the functional composition of analysis (ii) and (iii), and
(vi) the reduced tensor product of analysis (iv) and (v).
 Induced Operations

Suppose that we have Galois connections (Li , αi , γi , Mi ) such that each

Mi is a more approximate version of Li (for i = 1, 2). One way to make
use of this is to replace an existing analysis fp : L1 → L2 with a new and
more approximate analysis gp : M1 → M2 . We already saw that

α2 ◦ fp ◦ γ1 is a candidate for gp

(just as γ2 ◦ gp ◦ α1 would be a candidate for fp ). The analysis α2 ◦ fp ◦ γ1

is said to be induced by fp and the two Galois connections

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.107/116

fp
L1 - L2

6
γ1 α2
?
M1 - M2
α2 ◦ f p ◦ γ 1
We studied the simple program plus and specified the very precise
analysis
fplus (ZZ ) = {z1 + z2 | (z1 , z2 ) ∈ ZZ }
using the complete lattices (P(Z), ⊆) and (P(Z × Z), ⊆).
We introduced the Galois connection

(P(Z), αsign , γsign , P(Sign))

for approximating sets of integers by sets of signs.

We used the relational method to get the Galois connection

(P(Z × Z), αSS0 , γSS0 , P(Sign × Sign))

operating on pairs of integers.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.109/116

We now want to induce a more approximate analysis for the plus

program
gplus : P(Sign × Sign) → P(Sign)
from the existing analysis fplus . To do so we take

gplus = αsign ◦ fplus ◦ γSS0

and simply calculate (for SS ⊆ Sign × Sign)

gplus (SS)
= αsign (fplus (γSS0 (SS)))
= αsign (fplus ({(z1 , z2 ) ∈ Z × Z | (sign(z1 ), sign(z2 )) ∈ SS}))
= αsign ({z1 + z2 | z1 , z2 ∈ Z, (sign(z1 ), sign(z2 )) ∈ SS})
= {sign(z1 + z2 ) | z1 , z2 ∈ Z, (sign(z1 ), sign(z2 )) ∈ SS}
S
= {s1 ⊕ s2 | (s1 , s2 ) ∈ SS}

where ⊕ : Sign × Sign → P(Sign) is the “addition” operator on signs (so

e.g. + ⊕ + = {+} and + ⊕ - = {-, 0, +}).

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.111/116

Let us next consider the situation where the analysis fp : L1 → L2

requires the computation of the least fixed point of a monotone function
F : (L1 → L2 ) → (L1 → L2 ) so that fp = lfp(F ). The Galois connections
(Li , αi , γi , Mi ) give rise to a Galois connection (L1 → L2 , α, γ, M1 → M2 )
between the monotone function spaces. We can now apply our technique
of inducing and let G : (M1 → M2 ) → (M1 → M2 ) be an upper
approximation to α ◦ F ◦ γ. It will be natural to take gp : M1 → M2 to be
gp = lfp(G).
Suppose that we have a Galois connection (L, α, γ, M ) between the
complete lattices L and M , and also a monotone function f : L → L.
Often the motivation for approximating f arises because a fixed point of f
is desired, and the ascending chain (f n (⊥))n does not eventually stabilise
(or may do so in too many iterations). Instead of using α ◦ f ◦ γ : M → M
to remedy this situation it is often possible to consider a widening operator
∇M : M × M → M and use it to define ∇L : L × L → L by the formula:

l1 ∇L l2 = γ(α(l1 ) ∇M α(l2 ))

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.113/116

Let (L, α, γ, M ) be a Galois connection and let ∇M : M × M → M be an

upper bound operator. Then the formula

l1 ∇L l2 = γ(α(l1 ) ∇M α(l2 ))

defines an upper bound operator ∇L : L × L → L. It defines a widening

operator if one of the following two conditions are fulfilled:
(i) M satisfies the Ascending Chain Condition, or
(ii) (L, α, γ, M ) is a Galois insertion and ∇M : M × M → M is a
widening operator.
 View publication stats

If (L, α, γ, M ) is a Galois insertion such that γ(⊥M ) = ⊥L , and if

∇M : M × M → M is a widening operator, then the widening operator
∇L : L × L → L defined by l1 ∇L l2 = γ(α(l1 ) ∇M α(l2 )) satisfies

lfp∇L (f ) = γ(lfp∇M (α ◦ f ◦ γ))

for all monotone functions f : L → L.

APPSEM II Summer School, 12 September 2005, Frauenchiemsee – p.115/116

Acknowledgements

The main source of these slides was Chapter 4 of Principles of Program

Analysis, a book I wrote with Flemming Nielson and Hanne Riis Nielson.
The corrected, 2nd printing was published by Springer in 2005.

Thank you