The Fixpoint Checking Problem: An Abstraction Re nement Perspective

(1)

The Fixpoint Checking Problem:

An Abstraction Renement Perspective

Pierre Ganty Thèse

présentée pour l'obtention du grade de Docteur en Sciences

de l'Université Libre de Bruxelles

(Faculté des Sciences, Département d'Informatique)

Tesi

presentata per il conseguimento del titolo di Dottore di Ricerca in Scienze e Tecnologie dell'Informazione e della Comunicazione

dell'Università degli Studi di Genova

(Indirizzo Ingegneria Elettronica ed Informatica, xviii Ciclo)

September 2007

(2)

(3)

À mes parents

(4)

(5)

Dissertation submitted in fulllment of the requirements for the degree of Doctor of Philosophy. The examiners of the committee are:

• Prof. Jean-François Raskin (Université Libre de Bruxelles, Belgique), advisor

• Prof. Giorgio Delzanno (Università degli Studi di Genova, Italia), co-advisor

• Prof. Alessandro Armando (Università degli Studi di Genova, Italia), co-advisor

• Prof. Patrick Cousot (École Normale Supérieure de Paris, France)

• Prof. Francesco Ranzato (Università di Padova, Italia)

• Prof. Thierry Massart (Université Libre de Bruxelles, Belgique)

• Dr. Laurent Van Begin (Université Libre de Bruxelles, Belgique)

(6)

(7)

Résumé

Le model-checking est une technique automatisée qui vise à vérier des propriétés sur des systèmes informatiques. Les données passées au model-checker sont le modèle du système (qui en capture tous les comportements possibles) et la propriété à vérier.

Les deux sont donnés dans un formalisme mathématique adéquat tel qu'un système de transition pour le modèle et une formule de logique temporelle pour la propriété.

Pour diverses raisons (le model-checking est indécidable pour cette classe de modèle ou le model-checking nécessite trop de ressources pour ce modèle) le model-checking peut être inapplicable. Pour des propriétés de sûreté (qui disent dans l'ensemble il ne se produit rien d'incorrect ), une solution à ce problème recourt à un modèle simplié pour lequel le model-checker peut terminer sans trop de ressources. Ce modèle simplié, appelé modèle abstrait, surapproxime les comportements du modèle concret.

Le modèle abstrait peut cependant être trop imprécis. En eet, si la propriété est vraie sur le modèle abstrait alors elle l'est aussi sur le modèle concret. En revanche, lorsque le modèle abstrait enfreint la propriété : soit l'infraction peut être reproduite sur le modèle concret et alors nous avons trouvé une erreur ; soit l'infraction ne peut être reproduite et dans ce cas le model-checker est dit non conclusif. Ceci provient de la surapproximation du modèle concret faite par le modèle abstrait. Un modèle précis aboutit donc à un model-checking conclusif mais son coût augmente avec sa précision.

Récemment, diérents algorithmes d'abstraction ranement ont été proposés. Ces algorithmes calculent automatiquement des modèles abstraits qui sont progressivement ranés jusqu'à ce que leur model-checking soit conclusif. Dans la thèse, nous dénis- sons un nouvel algorithme d'abstraction ranement pour les propriétés de sûreté. Nous comparons notre algorithme avec les algorithmes d'abstraction ranement antérieurs.

À l'aide de preuves formelles, nous montrons les avantages de notre approche. Par ailleurs, nous dénissons des extensions de l'algorithme qui intègrent d'autres techniques utilisées en model-checking comme les techniques d'accélérations.

Suivant une méthodologie rigoureuse, nous instancions ensuite notre algorithme pour une variété de modèles allant des systèmes de transitions nis aux systèmes de transitions innis. Pour chacun des modèles nous établissons la terminaison de l'algorithme instancié et donnons des résultats expérimentaux préliminaires encourageants.

Mots clés : Model-Checking, Abstraction Ranement, Interprétation Abstraite.

vii

(8)

(9)

Riassunto

Il model-checking è una tecnica automatica nalizzata alla verica delle proprietá dei sistemi informatici. I dati passati al model-checker sono il modello del sistema (che ne cattura tutti i possibili comportamenti) e la proprietà da vericare. Entrambi sono dati in un formalismo matematico opportuno come, ad esempio, un sistema a transizioni per il modello e una formula di una logica temporale per la proprietà.

Per diversi ragioni (il model-checking è indecidibile per quella classe o il model- checking richiede troppe risorse per quel dato modello) il model-checking può risultare non applicabile. Quando la proprietà da vericare è una proprietà di safety (ovvero una proprietà che aerma che non succede niente di scorretto), una possibile soluzione è quella di utilizzare un modello simplicato per il quale il model-checker può terminare senza utilizzare troppe risorse. Il modello simplicato, chiamato modello astratto, approssima i comportamenti del modello concreto. Tuttavia, il modello astratto può risultare troppo impreciso. Infatti, se la proprietà è vera per il modello astratto allora lo è anche per il modello concreto. Quando però il modello astratto falsica la proprietà:

o la violazione può essere riprodutta sul modello concreto, e allora abbiamo trovato un errore, o la violazione non è riproducibile e in tal caso il model-checker è detto essere inconclusive. Ciò è dovuto all' approssimazione del modello concreto fatta dal modello astratto. Quindi un modello preciso porta ad un model checking capace di concludere ma il suo costo computazionale associato aumenta con la precizione.

Recentemente, sono stati proposti diversi algoritmi di astrazione ranamento. Que- sti algoritmi calcolano automaticamente dei modelli astratti che sono via via ranati no a che il model-checker consente di concludere. Nella tesi, deniamo un nuovo algoritmo di astrazione ranamento per le proprietà di safety. Compariamo l'algoritmo con degli algoritmi di astrazione ranamento precedenti e mostriamo formalmente i vantaggi del nostro approccio. Inoltre, introduciamo delle estensioni dell'algoritmo che integrano altre tecniche utilizzate nel model-checking come le tecniche di accelerazione.

Seguendo un metodologia rigorosa, instanziamo il nostro algoritmo per una famiglia di modelli di sistemi a transizioni niti ai sistemi a transizioni inniti. Per ciascuno dei modelli dimostriamo la terminazione dell'algoritmo instanziato e presentiamo risultati sperimentali che risultano essere molto promettenti.

Parole chiave: Model-Checking, Astrazione Ranamento, Interpretazione Astratta.

ix

(10)

(11)

Abstract

Model-checking is an automated technique which aims at verifying properties of computer systems. A model-checker is fed with a model of the system (which capture all its possible behaviors) and a property to verify on this model. Both are given by a convenient mathematical formalism like, for instance, a transition system for the model and a temporal logic formula for the property.

For several reasons (the model-checking is undecidable for this class of model or the model-checking needs too much resources for this model) model-checking may not be applicable. For safety properties (which basically says nothing bad happen), a solution to this problem uses a simpler model for which model-checkers might terminate without too much resources. This simpler model, called the abstract model, over- approximates the behaviors of the concrete model. However the abstract model might be too imprecise. In fact, if the property is true on the abstract model, the same holds on the concrete. On the contrary, when the abstract model violates the property, either the violation is reproducible on the concrete model and so we found an error; or it is not reproducible and so the model-checker is said to be inconclusive. Inconclusiveness stems from the over-approximation of the concrete model by the abstract model. So a precise model yields the model-checker to conclude, but precision comes generally with an increased computational cost.

Recently, a lot of work has been done to dene abstraction renement algorithms.

Those algorithms compute automatically abstract models which are rened as long as the model-checker is inconclusive. In the thesis, we give a new abstraction renement algorithm which applies for safety properties. We compare our algorithm with previous attempts to build abstract models automatically and show, using formal proofs that our approach has several advantages. We also give several extensions of our algorithm which allow to integrate existing techniques used in model-checking such as acceleration techniques.

Following a rigorous methodology we then instantiate our algorithm for a variety of models ranging from nite state transition systems to innite state transition systems.

For each of those models we prove the instantiated algorithm terminates and provide encouraging preliminary experimental results.

Keywords: Model-Checking, Abstraction Renement, Abstract Interpretation.

xi

(12)

(13)

Acknowledgments

My foremost thank goes to Jean-François Raskin, my advisor. This thesis is also his achievement. Over the years, he not only helped me to improve my scientic skills but he also taught me how to use them. Indeed, without saving on his energy, he dened for me what a scientic contribution is, what rigor means, what a brilliant scientist is.

Being the PhD student of Jean-François is not always easy but the experience and the knowledge I acquired from it are invaluable. That is why I am so grateful to him.

During these years, I met people who played a signicant role in this thesis. In order of appearance, I rst thank Giorgio Delzanno who welcomed me in Genoa, back in 2002, for writing my master thesis. Over the years, it has always been a pleasure to work with Giorgio. In addition to have numerous great ideas, he was always there to encourage me when my motivation was decreasing. I also thank Alessandro Armando who gently welcomed me in his team and supported me for one year. Finally, I would like to express here my gratitude to Javier Esparza who signicantly contributed to this thesis. First, he helped me to elaborate the preliminary results which eventually led to this body of work. Second, he taught me to think as a scientist and to appreciate writing scientic papers. My stay in Stuttgart was an invaluable experience.

Also, I seize the opportunity to thank all my co-authors and especially Laurent Van Begin (which, in addition, is a very good friend of mine) and Patrick Cousot who gently accepted to collaborate and pointed research directions when necessary.

I am also indebted to Raymond Devillers who carefully proofread the thesis, spotted many inconsistencies and provided many helpful suggestions. I am also grateful to my jury who spend much time at reading and understanding my results.

Many thanks to each member of the computer science department and especially to my colleagues of the GroupVerif for this pleasant atmosphere.

I could not close these acknowledgments without expressing my love to the people who are the closest to me. My parents, to which this thesis is dedicated, and my brother and sister. Because they created a stimulating environment around me, I want to say that this achievement is also theirs. My last words go to my Mara. Your love and support has meant so much to me.

Brussels, August 2007 xvii

(18)

(19)

Chapter 1 Introduction

In cars, planes, trains, rockets, medical equipments, . . . technological advances rely more and more on computers and there is no sign indicating a trend reversal. More and more also, they are used in critical situation where any failure leads to severe damages ranging from revenue loss (e.g. the aw in the oating-point math subsection of the rst Pentium microprocessor resulted in a $500 million loss charge against Intel) to casualties (e.g. due to a software aw, a radiation therapy machine, the Therac-25, killed at least ve patients who died of massive overdoses of radiation).

Verication. To avoid such damages one has to verify that the system satises some properties. From the early ages of computer science it has been a major concern for computer scientists who design systems to verify systems against properties, an activity which is referred to as verication. From a behavioral standpoint, it is equivalent to check that the behaviors of the system, which dene its semantics, are included in the correct behaviors specied by the property. If the inclusion does not hold we also say that the system contains incorrect behaviors. Several approaches to verication have emerged over the years.

Testing. The most obvious way to ensure the system does not contain incorrect behaviors is to examine the system behaviors one after the other by testing the system.

This simple approach suers from a major drawback: it is sucient to nd an incorrect behavior but it falls short to prove their absence. In fact, imagine you want to show that the ABS system of your car never crashes, which leads to an inoperative breaking system. You drive your car for years in dierent conditions and it never crashes. Can you assert the ABS system never crashes ? You can do so provided you covered every possible behavior of the ABS system. However obtaining a complete coverage is, in general, costly since testing considers one behavior at a time and the set to cover can be very large (if not innite).

1

(20)

Model-based verication. Analogously to what is done in mechanical engineering, aerospace engineering, civil engineering, and so forth, a good engineering practice is to verify properties against a model of the system. In computer science, a model of a system is a specication in some mathematical formalism of a set of behaviors. We refer to this set of behaviors as the semantics of the model. Hereunder, follows a (non exhaustive) list of models currently used in computer science and in particular models used for verication purposes. Our classication is given according to the class of systems to model. It is important to note that the classes listed below are not necessarily disjoint. For instance, some communication protocols turn out to be parameterized systems as well.

Hardware. For hardware systems, models generally consist in a combination of boolean functions according to some topology. The intuition is that each boolean function models a logical unit and the topology models the way logical units are connected to each other.

Software. Typically, models are given by a piece of code expressed in a formal lan- guage to which is associated a formal semantics.

Embedded Systems. The two main characteristics of those systems are that (1) they are reactive systems and (2) often they are real-time systems. A reactive system interacts with an external environment. It receives inputs from the environment via sensors, and it reacts through actuators to control the environment. A system is real-time if its correctness relies on the timing of actions and events. Typical models for such systems are given by timed automata [AD94] (for the controller of the environment) and hybrid automata [Hen96] (for the environment).

Parameterized Systems. Those systems are made up of an arbitrary number of subsystems which interacts with each other according to some synchronisation rules. Petri-Nets [Pet62] and their extensions [Cia94] are often used to model those systems.

Communication Protocols. They are naturally modelled by a nite set of automata equipped with a set of communication primitives (e.g. communication via queues).

We refer the reader to models like fifo channel systems [AJ96,AAB99] or broadcast protocols [EFM99].

. . .

A general class of model. A formalism which can be used to model any computer system is the one of transition systems. Formally, a transition system is given by a triple (C, T, I) where C is the (usually innite) set of congurations of the system, T ⊆ C × C represents the transitions between congurations, and I ⊆ C is the set of initial congurations. In some cases the transition relation is labelled, that is

(21)

3 T ⊆ C×Σ×C where Σ is usually a nite alphabet. The transition systems encode behaviors each of which is represented by a sequence of states such that each pair of successive states belongs to T and the rst state belongs to I. A transition systems models a system in the following sense: Each behavior of the system is matched (or has a counterpart) in the transition system. We also call the relationship between the model and the system it represents the adequacy of the model. It is worth to mention here the problematic of the model construction. Many questions arise when modelling a system: Which model to use? How to guarantee its adequacy? . . . However these questions are out of the scope of the thesis. Accordingly, given a system, we assume an adequate model for it. Hereunder, we give a list of model-based techniques for verication.

Model-based Testing. Recently [HNRW06], the testing approach has been adapted to models. The idea is thus to explore behaviors of the model rather than the system.

In some situations, testing of the system is just not feasible. Consider, for instance, you want to test the crash recovering procedure of an operating system. Performing a single test in real condition may take several minutes (for instance repairing the le system is a time consuming task). It follows that after months of testing you end up with a narrow coverage of your recovery system. In such a situation, a model-based testing approach (where disks have now a mathematical denition) provides a solution with a better coverage.

Theorem Proving. With the help of a theorem prover you can reason about the model of the system and thus try to prove a theorem corresponding to the property you want to establish. For instance, to prove properties of a software system the theorem prover reasons on the code and its associated formal semantics, a Turing complete model. This approach is, however, only partially automated and still requires a manual intervention. In fact, the theorem prover may ask the user to prove some lemmas. Due to the manual intervention, it is not often applicable in practice. In fact, even for small systems, writing a proof is a very tedious, error-prone task for a human being. Finally, let us mention that due to fundamental reasons (Rice's theorem [Ric53], Gödel's Incompleteness Theorem) there is no hope to make this approach fully automatic. We refer the reader to [AO91,Fra92,MP92,MP95] for a deeper discussion of theorem proving as well as bibliographies.

Automated Verication. Automated verication has been originally introduced in the eighties by Queille and Sifakis [QS82], and independently by Clarke and Emmerson [CE81]. They propose to use, for the model of the system, a class of nite state transition systems called Kripke Structures. In a Kripke structure, each conguration is labelled with a set of boolean propositions which describes a (set of) system state.

On the other hand, the property to verify is specied by a formula in some temporal

(22)

logic, such as the computational tree logic CTL dened in [CE81]. This formula is intended to represent the behaviors of the system which are correct. It follows that if the behaviors represented by the Kripke structure are included in the behaviors represented by the formula, so are the system behaviors by the adequacy of the model.

This approach is commonly referred to as the model-checking and is extensively covered in [CGP99]. These seminal works have since generated a huge amount of research and have been extended in many directions: other models have been considered (see the models given above) as well as other properties (such as the ones expressed in the linear temporal logic of [Pnu77] or the temporal logic CTL^∗ of [CES86]).

However, model-checking cannot solve all verication problems. In fact, for fundamental reasons (undecidability of the halting problem for Turing complete models of computation), or for practical reasons (limitations of the computing power of computers), model-checking may not applicable. Let us mention here a major problem to a general application of model-checking: the state explosion problem. In fact, given a model, the size of the underlying transition system can sometimes be huge and intractable for the model-checker. This explosion is better visualized in the case of concurrent systems but appears in other cases as well. Suppose the model is given by a set of distinct automata, each of which corresponds to a sub-component of the system. The transition system is obtained by the synchronisation of the sub-components and may result in a system which is exponentially larger than each sub-component.

Abstract Interpretation. A possible solution to overcome the aforementioned dif- culties is given by the theory of abstract interpretation. In the late seventies, the Cousots dened in [CC77] the basis of the theory of abstract interpretation, a popular theory to approximate the evaluation of functions but also of their xpoints. This theory nds many application in verication since the semantics of models boils down to evaluate a xpoint.

In what follows, we adopt a restricted view of abstract interpretation in the following sense. We use abstract interpretation to approximate the state based semantics of transition systems. Examples of state based semantics of a transition system(C, T, I) are given by the set of states reachable from I. State based semantics of transition systems can be computed by evaluating xpoints on the complete lattice of sets of states. We commonly refer to those xpoints as the concrete semantics. In addition, we restrict the discussion to the verication of invariants which ask, given a transition system and a set S of states if the set of reachable states is included in the invariant given by S. The invariant S corresponds to an equivalent safety property which says:

no state of ¬S is reachable.

Abstract Semantics. As shown above, the semantics of the model may not be computable or may need too much resources to be computed. It is then interesting to compute an approximation of the semantics. This can be obtained using an abstract

(23)

5 interpretation which computes an over-approximation of the concrete semantics, called the abstract semantics. To compute the abstract semantics, we need an abstraction function µ∈2^C 7→2^C which basically identies sets of states. More precisely,µ over- approximates its argument (X ⊆µ(X)),µis monotone (X ⊆Y impliesµ(X)⊆µ(Y)), andµis idempotent (µ(µ(X)) =µ(X)). Now, let us consider the set of reachable states, which is given by the least xpointlfp(f)wheref is given byλX. I∪post[T](X). One way to over-approximate lfp(f) is to evaluate lfp(µ ^◦ f) instead, where ^◦ denotes the functional composition. By applying µ on the result returned by f we thus speed up the convergence at the price of obtaining an approximation of lfp(f), however.

Precision. We relate the precision of an approximation with the abstraction function through some relevant examples. If the abstraction µ coincides with the identity we obtain that lfp(f) = lfp(µ ^◦ f) and so the abstract semantics equals to the concrete semantics. Then, if the concrete semantics is not computable or needs too much resources to be computed so is the abstract semantics.

Now assume µ is the constant function mapping each set of states to C. In this case, lfp(µ^◦ f) = C does not need much resources to be computed but C might be a too coarse over-approximation of lfp(f)as explained below.

Formally, given (C, T, I)and S⊆C, the invariant checking problem asks if

lfpλX. I∪post[T](X)⊆S . (1.1) If the abstraction µ is such that lfpλX. µ(I ∪post[T](X)) ⊆ S then we can conclude that (1.1) holds; otherwise the analysis is said to be inconclusive because the non inclusion may result from the over-approximation introduced by µ and not because lfpλX. I∪post[T](X)*S.

The Abstraction Renement Paradigm. The above discussion identied one key for the design of eective and successful abstract interpretation algorithms: the precision of the abstraction. The design of a good abstraction, where good means that the computation of the abstract semantics does not need much resources and yields a conclusive answer is a dicult and time consuming task. Recently, research eorts [HJMS03, CCG⁺03, BR02] have been devoted to nd automatic techniques that are able to discover and rene an abstraction function for a given transition system and a given property to verify. This approach is also dened as the abstract renement paradigm. All those works take their inspiration from the seminal work of [CGJ⁺03] which is henceforth called Counterexample Guided Abstraction Renement (or CEGAR for short).

CEGAR. This technique uses a restricted form of abstraction functions. The state space C is divided into equivalence classes and the abstraction function µ maps each

(24)

setZ ⊆C to a set of equivalence classes, each of which intersects Z. This abstraction yields to the denition of an abstract transition system (C_µ, T_µ, I_µ)whereC_µis the set of equivalence classes, T_µ ⊆ C_µ×C_µ is such that (c₁, c₂) ∈ T_µ if c₁ and c₂ contains respectively states x₁ and x₂ such that (x₁, x₂) ∈ T, and I_µ = µ(I). The set R_µ of reachable states of the abstract transition system is then computed. If R_µ ⊆ S then the analysis concludes that (1.1) holds; otherwise an incorrect behavior that violates the invariant (namely an abstract behavior that leavesS) is extracted. If the incorrect behavior of (C_µ, T_µ, I_µ) has a counterpart in (C, T, I) then we return this incorrect behavior to the user; otherwise the incorrect behavior is said to be a false alarm and the abstraction is rened because the analysis is inconclusive. The idea behind the renement is to prevent the false alarm to show up again. To this end, we split in two partsd₁, d₂ an equivalence classc_ialong the false alarm c₁, . . . , c_i−1, c_i, c_i+1, . . . , c_nsuch that neither c₁, . . . , ci−1, d₁, c_i+1, . . . , c_n nor c₁, . . . , ci−1, d₂, c_i+1, . . . , c_n is an incorrect behavior. Hence the false alarm disappears. The above process is iterated as long as the analysis is inconclusive.

Our contribution. In this thesis, we present a new abstract invariant checking algorithm with automatic renement by backward completion in Moore closed abstract domains. Backward completion (see [RT02, GQ01]) is a technique which renes the abstractions used in abstract interpretation. Moore closed abstract domains induces more general abstractions than the partition based abstract domains used in CEGAR.

So, contrary to several works in the literature [HJMS03,CCG⁺03,BR02], our algorithm does not require the abstract domains to be partitions of the state space.

We study the properties of our algorithm and prove it to be more precise than CEGAR. We also show that our automatic renement technique is compatible with acceleration techniques (see, for instance, [Boi03]). Furthermore, the use of partition based abstract domains does not improve the precision of our algorithm.

In addition to these theoretical results we also provide technical results. In fact our algorithm is instantiated, following a systematic methodology, in three dierent settings: one for concurrent nite state systems and two for innite state systems.

Along the technical results, we provide empirical results that uphold our approach.

Plan of the thesis. Chapter 2 recalls some preliminary notions that are necessary for the rest of the discussion. We review basic material on orderings and introduce the notion of closed sets. Then attention is given to partially ordered sets, lattices and related notions. We next focus on xpoints by recalling some well-known theorems of xpoint theory. We conclude the chapter by discussing transitions systems and their semantics dened through xpoints. Finally we review the basic concepts of abstract interpretation.

Chapter 3 is a theoretical chapter that introduces a new abstraction renement algorithm for the particular xpoint checking problem. Besides establishing correctness

(25)

7 properties of the algorithm we also give several sucient conditions for termination.

We then discuss our algorithm in relationship with other approaches like CEGAR or the predicate abstraction. After studying the consequences of relaxing some basic assumptions, we give a general and systematic methodology to turn our theoretical algorithm into an eective one. We call this process the instantiation of our algorithm.

Then Chapt. 4, 5 and 6 are devoted to three instantiations of our algorithm. Re- spectively, we solve the coverability problem of well-structured transition systems, the reachability problem of transition systems which are nite and concurrent, and the coverability problem of Petri nets by instantiating our algorithm according to the methodology which is given in Chapt. 3. Finally we close the thesis by drawing a conclusion in Chapt. 7.

In this thesis, each chapter from 3 to 6 is based on a publication which has been revisited and extended according to new insights by the author. Each of these pub- lications has appeared in the proceedings of an international scientic conference or symposium.

Chapter 3 is based on the following paper published in 2007.

Cousot, P., Ganty, P., Raskin, J.F.: Fixpoint-guided Abstraction Renements. In:

SAS'07: Proc. 14th Int. Static Analysis Symp. Volume 4634 of LNCS, Springer (2007), 333348.

Ganty, P., Raskin, J.F., Van Begin, L.: A Complete Abstract Interpretation Frame- work for Coverability Properties of WSTS. In: VMCAI '06: Proc. 7th Int. Conf.

on Verication, Model Checking and Abstract Interpretation. Volume 3855 of LNCS, Springer (2006), 4964.

Esparza, J., Ganty, P., Schwoon, S.: Locality-based Abstractions. In: SAS '05: Proc.

12th Int. Static Analysis Symp. Volume 3672 of LNCS, Springer (2005), 118134.

Finally, Chapt. 6is based on the following paper published in 2007.

Ganty, P., Raskin, J.F., Van Begin, L.: From Many Places to Few: Automatic Ab- straction Renement for Petri nets. In: ICATPN '07: Proc. of 28th Int. Conf. on Application and Theory of Petri Nets and Other Models of Concurrency. Volume 4546 of LNCS, Springer (2007), 124143.

(26)

(27)

Chapter 2 Preliminaries

Sets, relations and functions. We denote by Z the set of integers and by N the subset of positive integers. We use Church [Chu85] lambda notation for functions (so thatf isλx. f(x)) and use the composition operator^◦ : ifg ∈X 7→Y and f ∈Y 7→Z then (f ^◦g)∈X 7→Z is such that (f ^◦ g) =λx. f(g(x)). The transitive and reexive closure f^∗ of a function f such that its domain and co-domain coincide is a relation given by {(x, x⁰)| ∃i∈N:fⁱ(x) =x⁰} where f⁰ =λx. x, fⁱ⁺¹ =fⁱ ^◦f.

The composition operator ^◦ on relations R₁ ⊆ X ×Y, R₂ ⊆ Y ×Z, which gives (R1 ◦ R2) ⊆ X ×Z, is dened as follows: (R1 ◦ R2) = {(x, z) | ∃y ∈ Y : (x, y) ∈ R₁∧(y, z)∈ R₂}. The transitive and reexive closure R^∗ of a relation R⊆ X×X is dened by S

i∈NRⁱ, where R⁰ ={(x, x)|x∈X}, and Rⁱ⁺¹ =Rⁱ ^◦ R.

Given a set S, ℘(S) denote the set of all the subsets of S. Sometimes we write s instead of the singleton {s} when the context makes it clear.

2.1 Well-Quasi Ordered Sets

A preorder is a binary relation over a set X which is reexive (i.e. for each x, the relation x x holds), and transitive (i.e. for each x1, x2, x3 such that x1 x2 and x₂ x₃, the relationx₁ x₃ holds). Two elements x₁, x₂ are said to be incomparable if x₁ x₂ and x₂ x₁; otherwise x₁, x₂ are said to be comparable. Also we say that x2 is strictly greater than x1 if x2 x1 and x1 x2; we write this fact x2 x1. Finally, we say that is decidable if there exists an algorithm which on inputs x₁ and x₂ computes if x₁ x₂ holds or not.

The preorderis a partial order if is anti-symmetric that is, for eachx₁, x₂ ∈X such that x₁ x₂ and x₂ x₁, we have x₁ =x₂.

The preorder is a well-quasi order (wqo for short) if every countably innite sequence of elements x0, x1, . . . from X contains elementsxj xi for some 0≤i < j. We call the pair (X,) a well-quasi ordered set (wqo-set for short).

9

(28)

1 2 3

1 2 3 x

y

C

D

B

A

Figure 2.1: -dc-sets and-uc-sets in N².

Closed sets. Let(X,)be a wqo-set, we call↓x ={x⁰ ∈X |xx⁰}and↑x ={x⁰ ∈ X | x⁰ x} the -downward closure and -upward closure of x ∈ X, respectively.

This denition is naturally extended to sets in X. We dene a set S ⊆ X to be a -downward closed set (-dc-set for short), respectively -upward closed set (-uc- set for short), iff ↓S = S, respectively ↑S = S. For each wqo-set (X,), we dene DCS(X)(UCS(X)) to be the set of all -dc-sets (-uc-sets) in X.

Example 2.1 A diagrammatic representation of-dc sets and-uc-sets in the setN² are given in Fig. 2.1. The wqo over N² is dened as follows (a1, a2)(b1, b2)if and only if a₁ ≥ b₁ and a₂ ≥ b₂. The -dc-sets A and B are innite sets: A = {(x, y) ∈ N² |y ≤ 1}, B = {(x, y) ∈N² | x≤ 1}. On the contrary, the -dc-set C ={(x, y) ∈ N² |x≤2∧y≤2} is nite. The-uc-set D is given by {(x, y)∈N² |x≥3∧y≥2}. Is it clear that the -dc-sets and -uc-sets are dual in the following sense.

Lemma 2.1 Let (X,) be a wqo-set, the set complement of a -dc-set is a -uc-set and vice versa.

Proof. Let U be a -uc-set and let x ∈ X\U. For all x⁰ such that x x⁰ we have that x⁰ ∈X\U for otherwise x ∈U, which yields a contradiction. So we obtain that X\U is a -dc-set. And symmetrically for the other direction.

Lemma 2.2 Let (X,) be a wqo-set, and S1, S2 ⊆X we have

↑S₁ ∪ ↑S₂ =x

(S₁∪S₂) ↓S₁ ∪ ↓S₂ =

y(S₁∪S₂) . Proof.

↑S₁ ∪ ↑S₂ ={s⁰₁ ∈X | ∃s₁ ∈S₁: s⁰₁ s₁} ∪ {s⁰₂ ∈X | ∃s₂ ∈S₂: s⁰₂ s₂} def. of ↑

={s⁰ ∈X | ∃s∈S₁∪S₂ |s⁰ s} set theory

=x

(S₁∪S₂) def. of ↑

(29)

2.1. WELL-QUASI ORDERED SETS 11

The proof for ↓ is similar.

For a sake of clarity, we do not mention explicitly the above lemmas whenever we use their results. We now recall a well-known lemma on -uc-sets and -dc-sets.

Lemma 2.3 (From [ACJT96]) Let (X,) be a wqo-set and letU0, U1, . . . be an innite sequence of -uc-set such that U_i ⊆U_i+1 for all i≥ 0. There exists j ≥0 such that U_j =U_j⁰ for all j⁰ ≥j. Dually, given an innite sequence of -dc-sets D₀, D₁. . . such that Di ⊇Di+1 for all i≥0, there exists j ≥0 such that Dj =Dj⁰ for all j⁰ ≥j. Now, we give some results about the eective representation and manipulation (viz.

a test or the application of a function) of-uc-sets.

A set M ⊆ X is said to be canonical if each pair of distinct elements is incomparable: ∀x, y ∈M: x6=y→xy∧yx. We say that M is a minor set ofS ⊆X, if M ⊆S and for all x∈S there exists y∈M such that xy, and M is canonical.

Lemma 2.4 (From [ACJT96]) Let (X,)be a wqo-set. For each setS ⊆X, S has at least one minor set M and all minor sets are nite. If in addition is a partial order, then M is unique.

For instance consider the setDat g. 2.1, it has {(2,3)}as a minor set. Moreover this minor set is unique since is a partial order. We use min to denote a function which, given a set S ⊆X, returns a minor set of S.

Eective representation for-uc-sets. An eective representation for a-uc-set U is any nite setS such that↑S =U. By the previous lemma such a nite set always exists, e.g. a minor set.

Lemma 2.5 (Eective manipulations of -uc-sets.) Given a decidable well-quasi order and two nite subsets S₁, S₂ of X. Let ↑S₁ =U₁ and ↑S₂ =U₂, we have

• S₁∪S₂ is nite and x

(S₁∪S₂) = U₁∪U₂;

• U₁ ⊆U₂ iff ∀s₁ ∈S₁∃s₂ ∈S₂: s₁ s₂;

• c∈U₁ iff ∃s₁ ∈S₁: cs₁.

Proof. The union of two nite sets is again nite and the distributivity of↑ establishes the rst item. For the second one, we have

U₁ ⊆U₂

⇔ ↑S₁ ⊆ ↑S₂ def. ofU₁, U₂

⇔ {s1 | ∃s⁰₁ ∈S1: s1 s⁰₁} ⊆ {s2 | ∃s⁰₂ ∈S2: s2 s⁰₂} def. of ↑

⇔ ∀s⁰₁ ∈S₁∃s⁰₂ ∈S₂: s⁰₁ s⁰₂ set theory

(30)

This last characterization is eective by niteness of S₁, S₂, and since is decidable.

The proof of the third statement follows by denition of ↑. In conclusion, given a decidable well-quasi order , we have an eective characterization for the inclusion and union of two-uc-sets, as well as a membership test, for any eective representation.

2.2 Posets and Lattices

Partially ordered set. Let (X,v) be such thatv is a partial order onX. We call the pair (X,v) a partially ordered set (or poset for short).

Let Y ⊆ X, xˆ ∈ X is an upper bound of Y iff ∀y ∈ Y : y v xˆ. Dually, xˇ ∈ X is a lower bound of Y iff ∀y ∈ Y : ˇx v y. A least upper bound (lub for short) x of Y is an upper bound of Y that satises x v x0 whenever x0 is another upper bound of Y; similarly, a greatest lower bound (glb for short) x of Y is a lower bound of Y that satises x₀ v x whenever x₀ is another lower bound of Y. Note that subsets Y of a poset (X,v) do not need to have least upper bounds nor greatest lower bounds, but when they exist they are unique (sincev is anti-symmetric) and they are denoted dY and F

Y, respectively. Sometimes F is called the join operator and d the meet operator and we shall writex1tx2 for F

{x1, x2} and similarly x1ux2 for d

{x1, x2}. Complete Lattice. A complete lattice hL,vi=hL,v,F

,d

,>,⊥iis a poset (L,v) such that all subsets of L have least upper bounds as well as greatest lower bounds.

Furthermore, ⊥ = F

∅ = d

L is the v-minimal element and > = d

∅ = F

L is the v-maximal element.

Example 2.2 The powerset latticePL(A)associated to a setAis the complete lattice (℘(A),⊆,S

,T

, A,∅) having the powerset of A as carrier, union and intersection as least upper bound and greatest lower bound, respectively, and∅andAas the ⊆-minimal and ⊆-maximal elements, respectively.

Eective Complete Lattice. A complete lattice hL,v,F ,d

,>,⊥i is said to be eective if

• for each elementlofL, there exists a (not necessarily unique) nite representation denoted l^e,

• there exists an algorithm which, on inputsl₁^e andl₂^e, returns true iffl₁ vl₂ holds,

• there exists an algorithm which, on inputs {l₁ê, . . . , lê_n}, returns rê such that r = d{l₁, . . . , l_n},

(31)

2.2. POSETS AND LATTICES 13

• there exists an algorithm which, on inputs {l₁ê, . . . , lê_n}, returns rê such that r = F{l₁, . . . , l_n}.

Complete Sublattice. A sublattice M of a complete lattice hL,v,F ,d

,>,⊥i is called a complete sublattice of L, if for every subset A of M, the elements d

A and FA, as dened in L, are in M, that is ∀A⊆M: {d

A,F

A} ⊆M.

ACC&DCC. A poset(X,v)is said to satisfy the ascending chain condition (ACC for short) if every ascending chain x₁ v x₂ v · · · of elements of X is eventually stationary, that is, there is some n ∈ N such that x_m = x_n for all m > n (i.e., there is no innite strictly ascending chain). Similarly, X is said to satisfy the descending chain condition (DCC for short) if every descending chain x₁ w x₂ w · · · of elements of X is eventually stationary (that is, there is no innite strictly descending chain).

Lemma 2.6 Consider the powerset latticePL(A)associated to a setAsuch that(A,) is a wqo-set. The lattice hDCS(A),⊆,S

,T

, A,∅i where the carrier is given by the - dc-sets of A is a complete sublattice of PL(A). The same result holds for the lattice hUCS(A),⊆,S

,T

, A,∅i where the carrier is the set of -uc-sets.

Proof. The result holds because -dc-sets are closed under union and intersection,

respectively; and so are the -uc-sets.

Denition 2.1 (downward&upward powerset lattices) Let(A,)be a wqo- set. The complete lattices hDCS(A),⊆,S

,T

, A,∅i and hUCS(A),⊆,S ,T

, A,∅i are called the downward powerset lattice and the upward powerset lattice of A and they

are denoted DPL(A) and UPL(A), respectively.

Lemma 2.7 Let (A,) be a wqo-set. The lattices DPL(A) and UPL(A) satisfy the descending chain condition and the ascending chain condition, respectively.

Proof. The result is shown using Lem. 2.3.

Complete Boolean Algebra. A complete boolean algebra is a 7-uple hL,v,d

,F

,>,⊥,¬isuch that (i)hL,v,d ,F

,>,⊥i is a complete lattice which satises (ii) the distributivity law: ∀a, b, c∈L: au(btc) = (aub)t(auc), and (iii)for eacha ∈L there is some¬a∈ Lsuch that at ¬a => and au ¬a =⊥. Given a∈L we call ¬a the complement of a.

Example 2.3 h℘(S),⊆,S ,T

, S,∅,¬i of a set S where ¬ denote the set complement, i.e. λX. S\X, is a complete boolean algebra.

(32)

Moore family. Given a complete lattice hL,v,F ,d

,>,⊥i, the Moore closure of Y ⊆Lis given by{d

Y⁰ |Y⁰ ⊆Y}. We denote the Moore closure of Y byM(Y). IfY is such thatM(Y) =Y, thenY is said to be a Moore family. Note that a Moore family Y always contains a least element, d

Y, and a greatest element,d

∅, which equals the v-maximal element, >, from L; in particular a Moore family is never empty.

For instance, given the powerset lattice h℘({a, b, c}),⊆,T ,S

,∅,{a, b, c}i, we see that {{a, b},{a, c},{a},{a, b, c}} is a Moore-family.

Now, we introduce the notions of Boolean closure and Boolean closed set. The Boolean closure is stronger than the Moore closure in the following sense: each set which is Boolean closed is also a Moore-family.

Boolean closure. Given a complete boolean algebra hL,v,F ,d

,>,⊥,¬i and a nite subset Y of L, Y is said to be Boolean closed iff ∀y₁, y₂ ∈ Y: (i) y₁uy₂ ∈ Y, (ii) y₁ ty₂ ∈ Y, and (iii) ¬y ∈ Y. We dene the function λX.B(X) which returns the Boolean closure of its argument, i.e. the smallest setB such that X ⊆B and B is Boolean closed. In [DP89], a disjunctive normal form for the boolean terms (a boolean term over X is any nite expression built using values of X and the connectives t, u and ¬) is introduced. This yields the conclusion that B always exists, is unique and nite.

Properties of functions on complete lattices. Consider two complete lattices hL₁,v₁,F

1,d

1,>₁,⊥₁i and hL₂,v₂,F

2,d

2,>₂,⊥₂i. Given a function f ∈ L₁ 7→ L₂, we say that f is monotone if∀l, l⁰ ∈L₁: lv₁ l⁰ ⇒f(l)v₂ f(l⁰).

Also f is completely additive (resp. completely coadditive) when for allC₁ ⊆L₁, f satisesf(F

1C₁) = F

2f(C₁)(resp. f(d

1C₁) = d

2f(C₁)). For the sake of brevity, in what follows, we simply say additivity (resp. coadditivity) instead of complete additivity (resp. complete coadditivity).

The pair

L₁ 7→L₂,⊆˙

is a poset for the pointwise ordering f ⊆˙ g given by ∀x ∈ L₁: f(x)v₂ g(x). If f ⊆˙ g holds, we call g an upper-approximation of f.

2.3 Fixpoints

Letf be a function over a poset (L,v). A xpoint of f is an element l ∈L such that f(l) = l. We denote by lfp^v(f) and gfp^v(f), respectively, the least and the greatest xpoint, when they exist, of f. If the poset is clear from the context, we simply write lfp(f), gfp(f). The well-known Knaster-Tarski's theorem states that each monotone function f ∈L7→ L over a complete lattice hL,v,F

,d

,>,⊥i admits a least xpoint and the following characterization holds:

lfp(f) =l

{x∈L|f(x)vx} . (2.1)

(33)

2.3. FIXPOINTS 15 Dually, f also admits a greatest xpoint and the following characterization holds:

gfp(f) =G

{x∈L|xvf(x)} . (2.2) The set{x∈L|f(x)vx}used in (2.1) denes the set of post xpoints of the function f and is denoted briey postfp(f); dually, the set {x ∈ L | x v f(x)} used in (2.2) denes the set of pre xpoints of the functionf and is denoted briey prefp(f).

In what follows we constructively characterize least and greatest xpoints by means of a sequence of values which converges to the xpoint. Any such sequence is a chain.

We call those chains iteration sequences. In general the whole class of ordinal numbers is needed to dene the iteration sequence converging to the xpoint (see [CC79a] and the references given there). However, driven by eectiveness concerns, we restrict our study of the constructive characterizations of xpoints to the iteration sequences which stabilize after a nite number of steps. Roughly speaking, we restrict ourselves to those xpoints such that the iteration sequence converges to it after a nite number of steps.

About the stabilization of an iteration sequence {Iⁱ}i∈N, the sequence is said to have stabilized after a nite number of steps if and only if there existsj such that for eachj⁰ ≥j the equalityI^j⁰ =I^j holds in which case the limit of the sequence is given byI^j.

Denition 2.2 (Iteration sequences, iterates and iterated functions) Let f be a monotone function over a complete lattice hL,vi, the upper iteration sequence off is the sequence{Iⁱ}i∈N whereI⁰ =⊥andIⁱ⁺¹ =f(Iⁱ). Dually, the lower iteration sequence of f is the sequence {Iⁱ}i∈N where I⁰ => and Iⁱ⁺¹ =f(Iⁱ). When speaking about iteration sequences, we sometimes call f the iterated function and each element

of the iteration sequence an iterate.

The following proposition shows that the upper (resp. lower) iteration sequence of f on a lattice satisfying the ACC (resp. DCC) converges to lfp(f) (resp. gfp(f)) after a nite number of steps.

Proposition 2.1 Let f be a monotone function over a complete lattice hL,vi. If hL,vi satises the ACC then the upper iteration sequence of f is an increasing chain (i.e. Iⁱ v Iⁱ⁺¹) which stabilizes to lfp(f) after a nite number of steps. Dually if hL,vi satises the DCC then the lower iteration sequence of f is a decreasing chain (i.e. Iⁱ⁺¹ vIⁱ) stabilizes to gfp(f) after a nite number of steps.

When hL,vi does not satisfy the ACC, transnitely many steps may be necessary for the upper iteration sequence to stabilize to lfp(f). It may be also the case that the iteration sequence stabilizes after a number of steps which is nite but so large that it is unacceptable in practice. However, using the notion of extrapolation [CC77], we are able to speed up the stabilization of the iteration sequence and obtain a close over-approximation of the least xpoint after a (reasonably) nite number of steps.

(34)

Denition 2.3 (Widening operator) Given a complete lattice hL,vi, we dene a widening operator ∇ ∈ N7→(L×L7→L)

as follows:

1. ∀j >0∀x, y ∈L: xtyvx∇(j)y;

2. for each ascending chain y₀ v y₁ v y₂ v · · · v y_n v . . . of elements of L, the ascending chain x₀ =y₀, x₁ =x₀∇(1)y₁, . . . , x_n =xⁿ⁻¹∇(n)y_n, . . . stabilizes after a nite number of steps.

A widening operator will be used to extrapolate each iterate until a post xpoint is found, in which case an over-approximation of the least xpoint has been found.

Proposition 2.2 (From [CC92b]) Let f ∈ L 7→ L be a monotone function of the complete lattice hL,v,d

,F

,>,⊥i, and let ∇ be a widening operator. The sequence x⁰ =⊥

xⁿ⁺¹ =

(xⁿ if f(xⁿ)vxⁿ xⁿ∇(n+ 1)f(xⁿ) otherwise

stabilizes after a nite number of steps. Moreover, the limit u of this sequence is such that lfp(f)vu and f(u)vu.

This over-approximation can then be improved using a narrowing operator.

Denition 2.4 (Narrowing operator) Given a complete lattice hL,vi, we dene a narrowing operator 4 ∈ N7→(L×L7→L)

as follows:

1. ∀j >0 (∀x, y ∈L: yvx), y vx4(j)yvx;

2. for each descending chain y₀ v y₁ w y₂ w · · · w y_n w . . . of elements of L, the descending chain x₀ = y₀, x₁ = x₀4(1)y₁, . . . , x_n = xⁿ⁻¹4(n)y_n, . . . stabilizes after a nite number of steps.

Proposition 2.3 (From [CC92b]) Let f ∈ L 7→ L be a monotone function of the complete lattice hL,vi, and let 4 be a narrowing operator. The sequence

x⁰ =u

xⁿ⁺¹=xⁿ4(n+ 1)f(xⁿ)

stabilizes after a nite number of steps. In addition each iterate is such that lfp(f) v f(xⁿ)vxⁿ.

(35)

2.4. TRANSITION SYSTEMS 17 It is worth noting that, besides improving the over-approximation of least xpoints, the narrowing operator can also be used to speed up the stabilization of a lower iteration sequence in a latticehL,vi which does not satisfy the DCC.

We conclude this brief discussion about xpoints by showing a basic result regarding upper-approximations of iterated functions and then by recalling the Park's xpoint theorem. Both results are used in the exposé.

Lemma 2.8 Let f₁, f₂ be two monotone functions on a complete lattice hL,vi such that f₁ ⊆˙ f₂ and let Z ∈L, we have:

Z ∈postfp(f₂)→Z ∈postfp(f₁) lfpλX. f₁(X)vlfpλX. f₂(X) Z ∈prefp(f₁)→Z ∈prefp(f₂) gfpλX. f₁(X)vgfpλX. f₂(X) .

Proof. We conclude fromZ ∈postfp(f₂), thatf₂(Z)vZ by denition ofpostfp, hence that f₁(Z)vZ byλX. f₁(X) ˙⊆λX. f₂(X).

We conclude from Z ∈prefp(f1), thatZ vf1(Z)by denition ofprefp, hence that Z vf₂(Z) byλX. f₁(X) ˙⊆λX. f₂(X).

Then, Eq. (2.1), (2.2) and the above results conclude the proof.

Theorem 2.1 (From [Par69]) Let hL,v,d ,F

,>,⊥,¬i be a complete boolean algebra and let f ∈L7→L be a monotone function theng =λX.¬(f(¬X)) is a monotone function on L and gfp(f) = ¬ lfp(g)

.

2.4 Transition systems

A transition system (or TS for short) is a triple (C, T, I) where C is the set of states, T ⊆ C×C is the transition relation and I ⊆C is the subset of initial states. Often, we write s → s⁰ if (s, s⁰) ∈ T, s →^∗ s⁰ if (s, s⁰) ∈ T^∗ and s →^k s⁰ if (s, s⁰) ∈ T^k for k ∈N.

Predicate Transformers. A predicate is a Boolean formula dening a set of states:

the ones satisfying the formula. To manipulate sets of states, we use predicate transformers.

The forward image operator is a function that given a relation T⁰ ⊆C×C and a set of states C⁰ ⊆ C, returns the set post[T⁰](C⁰) ={c⁰ ∈ C | ∃c∈ C⁰: (c, c⁰) ∈ T⁰}. When the forward image operator is used with the transition relationT, it is called the post operator and it returns, given a set of states C⁰ all their one step successors in the transition system; we simply write itpost(C⁰).

(36)

The backward image operator is a function that given a relationT⁰ ⊆C×Cand a set of statesC⁰ ⊆C, returns the setpre[T⁰](C⁰) ={c∈C | ∃c⁰ ∈C⁰: (c, c⁰)∈T⁰}. When the backward image operator is used with the transition relation T, it is called the pre operator and it returns, given a set of states C⁰ all their one step predecessors in the transition system; we simply write itpre(C⁰).

The unavoidable operator is a function given a relation T⁰ ⊆ C ×C and set of states C⁰ ⊆ C, returns the set pre[Tf ⁰](C⁰) = ¬pre[T⁰](¬C⁰) = ¬post[T⁰⁻¹](¬C⁰)

= {c ∈ C | ∀c⁰: (c, c⁰) ∈ T⁰ ⇒ c⁰ ∈ C⁰}. When the backward image operator is used with the transition relation T, it is called the pre tilde operator and it returns, given a set of states C⁰, all the states which have all their one step successors in the setC⁰; we simply write it pre(Cf ⁰).

Monotonicity. We can distinguish two types of monotonicity for the predicate transformers. First, let T₁ ⊆ C×C be relation over C; for all S, S⁰ such that S ⊆ S⁰ ⊆ C we have:

post[T₁](S)⊆post[T₁](S⁰) , pre[Tf ₁](S)⊆pre[Tf ₁](S⁰) . Also givenT₂ ⊆C×C such that T₁ ⊆T₂, we have:

λX.post[T₁](X) ˙⊆λX.post[T₂](X) , λX.pre[Tf 2](X) ˙⊆λX.pre[Tf 1](X) .

In the sequel, when we refer to the monotonicity ofpost orpref, which denition to use should be clear from the context.

Fixpoints of Transition Systems. Given a transition system (C, T, I), the set of reachable states is given by the least xpoint lfp^⊆λX. I ∪post[T](X). As shown in [CC99], this xpoint coincides with post[T^∗](I), also written post^∗(I) when the transition relation is clear from the context. A state s is said to be reachable if s∈post^∗(I).

Dually, given a set S of states, the set of states that are stuck in S (or also that cannot escape from S) is given by the greatest xpoint gfp^⊆λX. S ∩pre[Tf ](X). As shown in [CC99], this xpoint coincides with pre[Tf ^∗](S), also written pref^∗(S) when the transition relation is clear from the context.

We now dene a subclass of TS which will be studied in Chapt. 4 and, to some extent, in Chapt. 5and Chapt. 6.

(37)

2.5. ELEMENTARY NOTIONS OF ABSTRACT INTERPRETATION 19 Well-Structured Transition System (WSTS for short) (From [FS01]). A WSTS ((C,), δ, c₀) is a TS where (C,) is a wqo-set of states, δ⊆ C×C is a transition relation, and c₀ is a singleton initial state. Moreover, the strong compatibility condition holds, that is∀x₁, x₂, x₃ ∃x₄: (x₃ x₁∧x₁ →x₂)⇒(x₃ →x₄∧x₄ x₂).

Examples of WSTS are Petri nets [Rei86], monotone extensions of Petri nets (Petri nets with transfer arcs [Cia94], Petri nets with reset arcs [DFS98], and Petri nets with non-blocking arcs [RVanB04]), broadcast protocols [EN98], lossy channel systems [AJ96]. The next lemma gives some properties on the predicate transformers of WSTS.

Lemma 2.9 Let ((C,), δ, c₀) be a WSTS, we have:

pre[δ](U)∈UCS(C) for any U ∈UCS(C) pre[δ](S)f ∈DCS(C) for any S∈DCS(C).

Proof. The rst statement is shown in [ACJT96] at Lem. 3.2. For the second statement, we know that¬U ∈DCS(C)ifU ∈UCS(C). Hence, the denitionpref =λX.¬^◦pre ^◦

¬(X)and the rst statement prove that for eachV ∈DCS(C),pre[δ](Vf )∈DCS(C).

2.5 Elementary Notions of Abstract Interpretation

In this thesis, the Galois connection framework [CC92a] is used to dene the abstract interpretation of transition systems.

Galois connections. In the Galois connection framework, we have on one side a complete lattice hL,6,W

,V

,>_L,⊥_Li, called the concrete domain, and on the other side we have another complete latticehA,v,F

,d

,>_A,⊥_Ai, called the abstract domain.

These two domains are related to each other by a pair of total functions(α, γ)such that α ∈L7→A is the abstraction function andγ ∈A 7→L is the concretization function.

Moreover the 4-tuple(α,hL,6i,hA,vi, γ)forms a Galois connection [Cou78], that is:

∀x∈L∀y∈A:α(x)vy⇔x6γ(y) . We briey denote this fact as hL,6i −−→←−−

α

γ hA,vi, or simply −−→←−−

α

γ , when both the concrete and abstract domains are clear from the context. Finally, we write γ(A) for the subset of L given by {γ(a)|a∈A}.

The orderings on the concrete and abstract domains describe the relative precision of domain values: x 6 y means that x is more precise than y, i.e. y carries less information thanx. The Galois connection allows us to relate the concrete and abstract

(38)

notions of precision: an abstract value a ∈ A approximates a concrete value c ∈ C when α(c)va, or equivalently (by denition of the Galois connection), c6γ(a).

Below we further characterize Galois connections. Then we provide some intuitions.

Lemma 2.10 (From [Cou78]) For each Galois connection hL,6i −−−→←−−−

α

γ hA,vi the following hold:

• α and γ are monotone functions,

• x6γ ^◦α(x) and α ^◦γ(y)vy,¹

• α is additive and γ is coadditive,

• α=α^◦γ ^◦ α and γ =γ ^◦ α^◦γ,

• the concretization and the abstraction functions uniquely dene each others:

α(c) =l

{a |c6γ(a)} γ(a) =^

{c|avα(c)} ,

• the set γ(A) is a Moore-family. It follows that ∀a₁, a₂ ∈γ(A) : a₁∧a₂ ∈γ(A). From the above lemma, we see that, by requiring a Galois connection, it turns out that α(c) is the best possible approximation of c in A in the following sense: for each a∈A such that c6γ(a) we have α(c)va.

Also, given a concrete value c ∈ L, we say that c is exactly represented in A iff γ ^◦ α(c) =c. Equivalently, there existsa ∈A such that c=γ(a). So, from the above reasoning we deduce that γ ^◦α(c) =ciff c∈γ(A).

Below, we give another denition of a Galois connection based on the above lemma.

Lemma 2.11 The following equivalence holds: hL,6i −−−→←−−−

α

γ hA,vi iff α and γ are monotone functions, ∀x∈L: x6γ ^◦ α(x) and ∀y∈A: α^◦ γ(y)vy.

Proof. First, we show that ∀x ∈ L∀y ∈ A: α(x) v y ⇔ x 6 γ(y) holds using the alternative denition.

α(x)vy hyp x6γ(y) hyp

⇒γ ^◦α(x)6γ(y) γ monotonicity ⇒α(x)vα ^◦γ(y) α monotonicity

⇒x6γ(y) x6γ ^◦ α(x) ⇒α(x)vy α^◦γ(y)vy

1Hint: you can retrieve these properties by following in −−−→←−−−

α

γ rst α then γ or vice versa and observing that you came back at a higher or lower position.

The Fixpoint Checking Problem: An Abstraction Re nement Perspective