A calculus of logical relations for over- and underapproximating static analyses

Motivated by Dennis Dams’s studies of overand underapproximation of statetransition systems, we define a logical-relation calculus for Galois-connection building. The calculus lets us define overapproximating Galois connections in terms of lower powersets and underapproximating Galois connections in terms of upper powersets. Using the calculus, we synthesize Dams’s most-precise overand underapproximating transition systems and obtain proofs of their soundness and best precision as corollaries of abstract-interpretation theory. As a bonus, the calculus yields a logic that corresponds to the variant of Hennessy-Milner logic used in Dams’s results. Following from a corollary, we have that Dams’s most-precise approximations soundly validate the most properties that hold true for the corresponding concrete system. These results bind together abstract interpretation to abstract model checking, as intended by Dams. Galois-connection-based abstract interpretation underlies most static analyses of programs [9,30,36]; it supplies machinery for synthesizing sound, abstract computation functions from a program’s concrete computation functions and demonstrating when the abstract functions are as precise as possible [19,40]. Abstract interpretation is well suited to static analyses that must validate universally quantified properties (e.g., for all execution paths, there is absence of arithmetic overflow [3]). Such analyses must be overapproximating. In contrast, nondeterministic and reactive systems possess existential properties (e.g., there exists a path to a reset state [33]), and their validation requires an underapproximating analysis [20,38].interpretation is well suited to static analyses that must validate universally quantified properties (e.g., for all execution paths, there is absence of arithmetic overflow [3]). Such analyses must be overapproximating. In contrast, nondeterministic and reactive systems possess existential properties (e.g., there exists a path to a reset state [33]), and their validation requires an underapproximating analysis [20,38]. In his thesis and related work [13,15], Dams studied simultaneous overand underapproximating analyses of reactive systems, where a Galois connection 1 www.cis.ksu.edu/∼schmidt. Supported by NSF ITR-0085949 and ITR-0086154. Preprint submitted to Elsevier Science 22 November 2005 defines the relation between a concrete system’s states and the abstract states to be used in an abstract system. Dams noted a duality between overand underapproximation and used it to define an algorithm that constructs overapproximating and underapproximating systems based on the Galois connection. Remarkably, he proved that his “mixed” over-underapproximation preserves the most temporal-logic properties true of the original reactive system ([15], Theorem 4.1.2). Dams’s results were impressive, but unfinished, for they did not employ the usual abstract-interpretation theory for synthesizing the abstract system from the concrete one and the Galois connection, nor did they yield their expressivity results from the usual corollaries of abstract-interpretation theory. In this paper, we provide the missing link between Dams’s systems and abstract interpretation. The key is using appropriate powerset domains for abstracting the codomains of the transition functions of a nondeterministic reactive system: We use lower powersets [24,26,39] to model overapproximation and upper powersets [24,26,39,46] to model underapproximation. We develop the theory within a calculus of logical relations on base types, function tyes, and upper and lower powerset types, which lets us build the overand underapproximations in small, well understood steps. As a bonus, the logical-relations calculus yields a natural logic that matches the one Dams used in his work, and we obtain his expressivity results for free. The paper is structured as follows. Section 1 surveys the problem area: It reviews Galois connections and state-transition systems, explains the difficulties in defining underapproximations, and describes an approach based on lower and upper powersets. Transition systems and Dams’s mixed-transition systems are reviewed in Sections 2 and 3, and Section 3.1 surveys our approach to proving Dams’s results with Galois-connection theory. The formal development begins in Section 4, where Galois connections are characterized as U-GLB-L-LUB-closed binary relations between concrete and abstract domains. The lower and upper powerset constructions are carefully developed in Section 5, preparing the way in Section 6 for a calculus of logical relations that utilizes powerset types. Generation and preservation of closure properties within the calculus are proved in Section 7, and Sections 8 and 9 apply the results to synthesizing Dams’s most-precise overand underapproximating analyses. Finally, Section 10 extracts a validation logic from the logical relations and shows that the most-precise approximations preserve the most properties in the logic.