Closed and Logical Relations for Over- and Under-Approximation of Powersets

We redevelop and extend Dams’s results on overand underapproximation with higher-order Galois connections: (1) We show how Galois connections are generated from U-GLB-L-LUBclosed binary relations, and we apply them to lower and upper powerset constructions, which are weaker forms of powerdomains appropriate for abstraction studies. (2) We use the powerset types within a family of logical relations, show when the logical relations preserve U-GLB-L-LUB-closure, and show that simulation is a logical relation. We use the logical relations to rebuild Dams’s most-precise simulations, revealing the inner structure of overand under-approximation. (3) We extract validation and refutation logics from the logical relations, state their resemblance to Hennessey-Milner logic and description logic, and obtain easy proofs of soundness and best precision. Almost all Galois-connection-based static analyses are over-approximating: For Galois connection, (P(C),⊆)〈αo, γ〉(A,vA), an abstract value a ∈ A proclaims a property of all the outputs of a program. For example, even ∈ Parity (see Figure 2 for the abstract domain Parity) asserts, “∀even” — all the program’s outputs are even numbers, that is, the output is a set from {S ∈ P(Nat) | S ⊆ γ(even)}. An under-approximatingGalois connection, (P(C),⊇)〈αu, γ〉A , whereA = (A,wA), is the dual. Here, even ∈ Parity op asserts that all even numbers are included in the program’s outputs — a strong assertion. Also, we may reuse γ : A → P(C) as the upper adjoint from A to P(C) iff γ preserves joins in (A,vA) — another strong demand. Fortunately, there is an alternative view of under-approximation: a ∈ A asserts an existential property — there exists an output with property a. For example, even ∈ Parity asserts “∃even” — there is an even number in the program’s outputs, which is a set from {S ∈ P(Nat) | S ∩ γ(even) 6= ∅}. Now, we can generalize both overand under-approximation to multiple properties, e.g., ∀{even, odd} ≡ ∀(even ∨odd) — all outputs are evenor odd-valued; and ∃{even, odd} ≡ ∃even ∧ ∃odd — the output set includes an even value and an odd value. These examples “lift” A and A into the powerset lattices, PL(A) and PU (A), respectively, and set the stage for the problem studied in this paper. ? [email protected]. Supported by NSF ITR-0085949 and ITR-0086154. Fig. 1. An example mixed transition system Concrete transition system: Σ = {c0, c1, c2} R = {(c0, c1), (c1, c2)} c0 c1 c2 Approximating the state set, Σ, by A = {⊥, a0, a12,>}; α : P(Σ)→ A is: α{c0} = a0, α{c1} = a12 = α{c2} = α{c1, c2}, α{c1, c2, c3} = >, etc. Over-approximating (“may” : ∃∃) transition system: A = {⊥, a0, a12,>} R = {(a0, a12), (a12, a12), (>, a12)} a0 a12 Under-approximating (“must” : ∀∃) transition system: A = {⊥, a0, a12,>} R = {(a0, a12), (⊥,⊥)} a0 a12 The mixed transition system is (A,R, R). 1 Dams’s mixed-transition systems In his thesis [10] and in subsequent work [11], Dams studied overand underapproximations of state-transition relations, R ⊆ C×C, for a discretely ordered set, C, of states. Given complete lattice (A,vA) and the Galois connection, (P(C),⊆)〈α, γ〉(A,vA), Dams defined an over-approximating transition relation, R ⊆ A×A, and an under-approximating transition relation, R ⊆ A×A, as follows: aRa iff a ∈ {α(Y ) | Y ∈ min{S | R(γ(a), S)}} aRa iff a ∈ {α(Y ) | Y ∈ min{S | R(γ(a), S)}} such that R ρ-simulates R (that is, all R-transitions are mimicked by R, modulo ρ ⊆ C × A, where c ρ a iff c ∈ γ(a)), and R ρ-simulates R. See Figure 1 for an example of R and its mixed transition system, R, R. For the branching-time modalities 2 (∀R) and 3 (∃R), a |= 2φ iff for all a, aRa implies a |= φ a |= 3φ iff there exists a such that aRa and a |= φ Dams proved soundness: a |= φ and c ρ a imply c |= φ. With impressive work, Dams also proved “best precision” [11]: For all ρ(and ρ-) simulations, R and R preserve the most 23-(mu-calculus [20, 21]) properties. 1 R, R, and the definitions themselves are explained later in the paper. 1.1 Can we derive Dams’s results within Galois-connection theory? Given that Dams begins with a Galois connection, it should be possible to reconstruct his results entirely within a theory of higher-order Galois connections and gain new insights in the process. We do so in this paper. First, we treat R ⊆ C × C as R : C → P(C). This makes R : A → PL(A), where PL(·) is a lower (⊆-ordered) powerset constructor. 2 Given the Galois connection, P(C)〈ατ , γτ 〉A, on states, we “lift” it to a Galois connection on powersets, F [P(C)]〈αF [τ ], γF [τ ]〉PL(A), so that 1. R ρ-simulates R iff extF [τ ](R) ◦ γτ vA→F [P(C)] γF [τ ] ◦R ] 2. the soundness of a |= 2φ follows from Item 1 3. R best = αF [τ ] ◦ extF [τ ](R) ◦ γτ We do similar work for R best : A → PU (A) and 3φ, where PU (·) is an upper (⊇-ordered) powerset constructor. The crucial question is: What is F [P(C)]? That is, how should we concretize a set T ∈ PL(A)? First, we write c ρτ a to assert that c ∈ C is approximated by a ∈ A. (For example, for Galois connection, P(C)〈ατ , γτ 〉A, define c ρτ a iff c ∈ γτ (a).) Then, S ∈ P(C) is approximated by T ∈ PL(A) iff S ρPL(τ) T , where S ρPL(τ) T iff for every c ∈ S, there exists a ∈ T such that c ρτ a 4 L P (C) . . a . . . c . . P L τ ρ P (A) L =T S= This might suggest that F [P(C)] is just P(C), and the concretization, γP(ρτ ) : PL(A) → P(C), is γP(ρτ )(T ) = ∪{S | S ρPL(τ) T}, which concretizes T to the largest set that is approximated by T . But, as suggested by this paper’s prelude, an alternative is to define F [P(C)] as PL(P(C)), because if an abstract state a ∈ A concretizes to a set of states, γτ (a) ⊆ C, then set T ∈ PL(A) should concretize to a set of sets of states: . . . . . . . . . P L τ ρ P (A) L S= (P (C)) PL L . . . . . =T That is, S̄ ∈ PL(P(C)) is approximated by T ∈ PL(Aτ ) iff for every set S ∈ S̄, S ρPL(τ) T . This makes γP̄L(τ)(T ) = {S | S ρPL(τ) T}, which concretizes T to the set of all sets approximated by T . For over-approximation, both approaches yield the same definition of R best : A→ PL(A), but a sound under-approximation utilizes the second approach: 2 Think of the elements of PL(A) as sets of properties, like ∀{even, odd}, as described in the prelude to Section 1. 3 Think of the elements of PU (A) as sets of properties, like ∃{even, odd}. 4 This is the lower half of the Egli-Milner ordering, such that when ρτ ⊆ C×C equals vτ , freely generates the lower (“Hoare”) powerdomain. Fig. 2. An under-approximation of sets of natural numbers by sets of parities Let Nat be the discretely ordered set of natural numbers, and let complete lattice any