## Comparing completeness properties of static analyses and their logics (2006)

Venue: | Proc. 2006 Asian Programming Languages and Systems Symposium (APLAS’06), volume 4279 of Lecture Notes in Computer Science |

Citations: | 13 - 4 self |

### BibTeX

@INPROCEEDINGS{Schmidt06comparingcompleteness,

author = {David A. Schmidt},

title = {Comparing completeness properties of static analyses and their logics},

booktitle = {Proc. 2006 Asian Programming Languages and Systems Symposium (APLAS’06), volume 4279 of Lecture Notes in Computer Science},

year = {2006},

pages = {183--199},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. Static analyses calculate abstract states, and their logics validate properties of the abstract states. We place into perspective the variety of forwards, backwards, functional, and logical completeness used in abstract-interpretation-based static analysis by giving examples and by proving equivalences, implications, and independences. We expose two fundamental Galois connections that underlie the logics for static analyses and reveal a new completeness variant, O-completeness. We also show that the key concept underlying logical completeness is covering, which we use to relate the various forms of completeness. When we use a static analysis, like data-flow analysis or model checking, to validate a program for correctness or code improvement, we must carefully define the domain of properties the analysis can calculate so that it includes both the goal properties we seek to validate as well as intermediate properties that lead to the goals. Say we try to validate {?}y: = −y;x: = y +1{isPositive(x)}; our analysis requires properties like isNegative to calculate a sound precondition:

### Citations

2004 | Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints - Cousot, Cousot - 1977 |

674 | Model checking and abstraction
- Clarke, Grumberg, et al.
- 1994
(Show Context)
Citation Context ...completeness was defined by Cousot [6] and Cousot and Cousot [8]. Mycroft [22] was perhaps the first to use B-completeness to define logical completeness; at the same time, Clarke, Grumberg, and Long =-=[4]-=- defined “exactness,” stated in terms of homomorphisms, h : D → A: h(c) |= A φ iff c |= φ, which is strong preservation. Abstractions of state-transition systems led both Cleaveland, Iyer, and Yankevi... |

667 | Systematic design of program analysis frameworks
- COUSOT, COUSOT
(Show Context)
Citation Context ...ng, which we use to relate the various forms of completeness. 1 Galois connections and functional completeness We use Galois connections to abstract concrete data into properties. A Galois connection =-=[8, 15]-=- between two partially ordered sets, (C, ⊆) and (A, ⊑), written C〈α, γ〉A, is a pair of functions, α : C → A and γ : A → C, such that for all c ∈ C and a ∈ A, c ⊆ γ(a) iff α(c) ⊑ a. The adjunction is e... |

663 | Counterexampleguided abstraction refinement
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...g., a static analysis of x:= 1; if x=1 then safe() else error() using Sign announces that error() is reachable. This false counterexample is eliminated by counterexample guided abstraction refinement =-=[2,3, 27]-=-), which adds new values to Sign (in this case, one), moving towards F-completeness [16]. In the previous section, we noted that the set inclusion, αo[φ] ⊆ [φ] A , does not guarantee soundness. Noneth... |

579 | Parametric shape analysis via 3-valued logic
- Sagiv, Reps, et al.
- 1999
(Show Context)
Citation Context ... B-completeness in an abstract logic is a famous trouble spot, e.g., we are asked to validate any |= A neg ∨ zero ∨ pos — the above definition fails to do so, and a focus or materialization operation =-=[14,26]-=- must be employed to decompose any into a set of covering cases, such as {neg,zero,pos} (because γ(any) ⊆ γ(neg) ∪ γ(zero) ∪ γ(pos)), and a proof-by-cases analysis is undertaken. 10 The second diagram... |

259 | Abstract interpretation of reactive systems
- Dams, Gerth, et al.
- 1997
(Show Context)
Citation Context ... of homomorphisms, h : D → A: h(c) |= A φ iff c |= φ, which is strong preservation. Abstractions of state-transition systems led both Cleaveland, Iyer, and Yankevich [5] and Dams, Gerth, and Grumberg =-=[13]-=- to define an “optimal” abstract transition system as one that proves the most sound logical properties of a concrete system. Their definitions are not Galois-connection based but use the definition o... |

212 | Abstract interpretation
- Cousot
- 1996
(Show Context)
Citation Context ...undness, stated in terms of γ, [ · ] : L → P(D), and [ · ] A : L → P↓(A): 5 f must be chain continuous for the technique to converge correctly [16]. 6 P↓(A) is in fact the disjunctive completion of A =-=[8, 9]-=-, often used to lift a γ that does not preserve ⊔A into a γ that preserves ∪P ↓(A), in effect adding disjunction to P↓(A)’s internal logic.sP(Int) op {...,−2,−1} { } UI {0,1,2,3,...} {...,−2,−1,0} γ {... |

176 | Boolean and cartesian abstractions for model checking C programs
- Ball, Podelski, et al.
(Show Context)
Citation Context ...completeness. 5.3 Predicate abstraction When an abstract domain is generated from a set, A, of assertions for variables within a program (e.g., x>y, ¬(y=0), ...), it is called a predicate abstraction =-=[1, 2,18,27]-=-. The resulting static analysis annotates program points with sets of predicates that hold true at the program points. We begin with the concrete state set, D, predicate set, A, and judgement relation... |

142 | Property preserving abstractions for the verification of concurrent systems
- Loiseaux, Graf, et al.
- 1995
(Show Context)
Citation Context ...sult. ✷ Giacobazzi and Quintarelli [16] (and Mastroeni [20]) show how to apply the Fcomplete shell construction to additive (continuous) f to achieve Item 1 above. Recall that pre f(S) = ∼ �pre f(∼S) =-=[19]-=-; When pre f is not F-complete, Ranzato and Tapparo apply the F-complete-shell construction to pre f [23]. The resulting abstract domain is still partitioned and its γ preserves ∼, so the equivalence,... |

104 |
Abstract Interpretation and Partition Refinement for Model Checking
- Dams
- 1996
(Show Context)
Citation Context ...ormalized strong preservation as logical F-completeness and showed that F-completeness is preserved by fixed-point operators [25]. The present paper was inspired by their work. Finally, in his thesis =-=[12]-=-, Dams proposed yet one more variant of logical completeness — Dams’s strong preservation is defined as follows: for all c ∈ D and a ∈ A, c ∈ γ(a) iff (for all φ, a |= A φ iff c |= φ). For sets A and ... |

96 |
Making abstract interpretations complete
- Giacobazzi, Ranzato, et al.
(Show Context)
Citation Context ...wnclosed sets of sets. isto proving logical B-completeness of a family of temporal logics and showing that B-completeness is preserved by fixed-point operators [11]. Giacobazzi, Ranzato, and Scozzari =-=[17]-=- defined an iterative method for abstractdomain completion so that transfer functions are B-complete. Giacobazzi and Quintarelli [16] introduced F-completeness, defined its completion method, and used... |

89 |
Méthodes Itératives de Construction et d’Approximation de Points Fixes d’Opérateurs Monotones sur un Treillis, Analyse Sémantique des Programmes
- Cousot
- 1978
(Show Context)
Citation Context ...but B(αu)-completeness typically fails for disjunction, for the reasons given above. 6 Related Work As noted in the Introduction, Galois-connection-based functional completeness was defined by Cousot =-=[6]-=- and Cousot and Cousot [8]. Mycroft [22] was perhaps the first to use B-completeness to define logical completeness; at the same time, Clarke, Grumberg, and Long [4] defined “exactness,” stated in ter... |

61 | Relative completeness of abstraction refinement for software model checking
- Ball, Podelski, et al.
- 2002
(Show Context)
Citation Context ...g., a static analysis of x:= 1; if x=1 then safe() else error() using Sign announces that error() is reachable. This false counterexample is eliminated by counterexample guided abstraction refinement =-=[2,3, 27]-=-), which adds new values to Sign (in this case, one), moving towards F-completeness [16]. In the previous section, we noted that the set inclusion, αo[φ] ⊆ [φ] A , does not guarantee soundness. Noneth... |

56 | Incompleteness, counterexamples, and refinements in abstract model-checking
- Giacobazzi, Quintarelli
- 2001
(Show Context)
Citation Context ...crete and abstract domains. Giacobazzi, Ranzato, and Scozarri [17] showed how to refine an abstract interpretation to synthesize functionally complete transition functions; Giacobazzi and Quintarelli =-=[16]-=- showed that there are, in fact, two, independent notions of functional completeness — forwards and backwards. Cousot and Cousot [11] applied functional completeness to define the logical completeness... |

42 |
Introduction to Lattices and
- Davey, Priestley
- 1990
(Show Context)
Citation Context ...ng, which we use to relate the various forms of completeness. 1 Galois connections and functional completeness We use Galois connections to abstract concrete data into properties. A Galois connection =-=[8, 15]-=- between two partially ordered sets, (C, ⊆) and (A, ⊑), written C〈α, γ〉A, is a pair of functions, α : C → A and γ : A → C, such that for all c ∈ C and a ∈ A, c ⊆ γ(a) iff α(c) ⊑ a. The adjunction is e... |

41 | Optimality in abstractions of model checking
- Cleaveland, Iyer, et al.
- 1995
(Show Context)
Citation Context ...fined “exactness,” stated in terms of homomorphisms, h : D → A: h(c) |= A φ iff c |= φ, which is strong preservation. Abstractions of state-transition systems led both Cleaveland, Iyer, and Yankevich =-=[5]-=- and Dams, Gerth, and Grumberg [13] to define an “optimal” abstract transition system as one that proves the most sound logical properties of a concrete system. Their definitions are not Galois-connec... |

41 |
Model checking guided abstraction and analysis
- Saidi
- 2000
(Show Context)
Citation Context ...g., a static analysis of x:= 1; if x=1 then safe() else error() using Sign announces that error() is reachable. This false counterexample is eliminated by counterexample guided abstraction refinement =-=[2,3, 27]-=-), which adds new values to Sign (in this case, one), moving towards F-completeness [16]. In the previous section, we noted that the set inclusion, αo[φ] ⊆ [φ] A , does not guarantee soundness. Noneth... |

29 |
Galois connections and computer science applications
- Melton, Schmidt, et al.
- 1986
(Show Context)
Citation Context ...ract arguments and answers to static-analysis functions (e.g. succ ♯ (zero) = pos). The Galois connection is overapproximating because S ⊆ γ(α(S)), for all S ∈ P(C). The following little-known result =-=[21]-=- exposes the inner structure of Galois connections: 1 There is a Galois connection between (C, ⊆) and (A, ⊑) iff 1 In this paper, definitions and previously proved results are embedded into the text n... |

28 | The existence of finite abstractions for branching time model checking
- Dams, Namjoshi
- 2004
(Show Context)
Citation Context ... B-completeness in an abstract logic is a famous trouble spot, e.g., we are asked to validate any |= A neg ∨ zero ∨ pos — the above definition fails to do so, and a focus or materialization operation =-=[14,26]-=- must be employed to decompose any into a set of covering cases, such as {neg,zero,pos} (because γ(any) ⊆ γ(neg) ∪ γ(zero) ∪ γ(pos)), and a proof-by-cases analysis is undertaken. 10 The second diagram... |

27 | Verifying invariants using theorem proving
- Graf, Saïdi
(Show Context)
Citation Context ...completeness. 5.3 Predicate abstraction When an abstract domain is generated from a set, A, of assertions for variables within a program (e.g., x>y, ¬(y=0), ...), it is called a predicate abstraction =-=[1, 2,18,27]-=-. The resulting static analysis annotates program points with sets of predicates that hold true at the program points. We begin with the concrete state set, D, predicate set, A, and judgement relation... |

25 | Compositional and inductive semantic definitions in fixpoint, equational, constraint, closure-condition, rule-based and game-theoretic form
- Cousot, Cousot
- 1995
(Show Context)
Citation Context ... a concrete system. Their definitions are not Galois-connection based but use the definition of strong preservation and yield strong preservation when Galoisconnections are present. Cousot and Cousot =-=[10]-=- formalized B-functional completeness and showed that it is preserved in inductively defined interpretations; they applied the results � 11 �An implementation of DNF will likely employ the normalizati... |

22 | Strong preservation as completeness in abstract interpretation
- Ranzato, Tapparo
- 2004
(Show Context)
Citation Context ... [11] applied functional completeness to define the logical completeness of a logic that judges abstract values as compared to the logic that judges the concrete values. Recently, Ranzato and Tapparo =-=[23,24]-=- applied Giacobazzi, et al.’s refinement techniques to build logically complete abstract logics. The present paper’s contribution is to place into perspective the variants of forwards, backwards, func... |

16 | An abstract interpretation-based refinement algorithm for strong preservation - Ranzato, Tapparo - 2005 |

15 |
Completeness and predicate-based abstract interpretation
- Mycroft
- 1993
(Show Context)
Citation Context ...for disjunction, for the reasons given above. 6 Related Work As noted in the Introduction, Galois-connection-based functional completeness was defined by Cousot [6] and Cousot and Cousot [8]. Mycroft =-=[22]-=- was perhaps the first to use B-completeness to define logical completeness; at the same time, Clarke, Grumberg, and Long [4] defined “exactness,” stated in terms of homomorphisms, h : D → A: h(c) |= ... |

9 | Underapproximating predicate transformers
- Schmidt
- 2006
(Show Context)
Citation Context ..., which is abstracted by a sound f ♯ : A → P(A) as follows: [[f]φ] A = �pre ♯ f [φ] best A , where �pre f♯(T) = {a ′ | f♯ (a ′ ) ⊆ T }. We know that �pre f ♯ best = ( �pre f) ♯ best = αu ◦ �pre f ◦ γ =-=[29]-=-. The definition is sound but might not be complete. The following holds for all abstract domains (not just partition domains): Theorem 13. For �pre f : P(D) → P(D), f : D → P(D), and f ∗ : P(D) → P(D... |

4 | Strong preservation of temporal fixpoint-based operators by abstract interpretation
- Ranzato, Tapparo
- 2006
(Show Context)
Citation Context ..., when α is co-continuous and α(⊤) = ⊤ – lfpG ◦ γ = γ ◦ lfpG ♯ , when γ is continuous and γ(⊥) = ⊥ – gfpG ◦ γ = γ ◦ lfpG ♯ , when γ is co-continuous. See Cousot and Cousot [8] and Ranzato and Tapparo =-=[25]-=- for elaboration. 2 Program logics A logic for C consists of a set of assertions, L, and a judgement relation, |= ⊆ C × L; we write c |= φ when (c, φ) is in the relation. For example, a |= based on Fi... |

1 |
Abstract non-interference: an abstract-intepretation-based approach to secure information flow
- Mastroeni
- 2006
(Show Context)
Citation Context ...o(f ∗ (S))), by the definition of �pre f . We apply αo and obtain (αo ◦ f ∗ ◦ γ ◦ αo)(S) ⊆ (αo ◦ γ ◦ αo ◦ f ∗ )(S) = αo(f ∗ (S)), which is the result. ✷ Giacobazzi and Quintarelli [16] (and Mastroeni =-=[20]-=-) show how to apply the Fcomplete shell construction to additive (continuous) f to achieve Item 1 above. Recall that pre f(S) = ∼ �pre f(∼S) [19]; When pre f is not F-complete, Ranzato and Tapparo app... |