A Constructive Framework for Galois Connections
Francesco Ranzato
Dipartimento di Matematica, University of Padova, Italy
Abstract
Abstract interpretation-based static analyses rely on abstract domains of program properties, such as
intervals or congruences for integer variables.
Galois connections (GCs) between posets provide the most widespread and useful formal tool for mathematically
specifying abstract domains.
Recently, Darais and Van Horn [2016] put forward a notion of constructive Galois connection for unordered sets (rather than posets),
which allows to define abstract domains in a so-called mechanized and calculational proof style and therefore enables the
use of proof assistants like Coq and Agda for automatically extracting verified algorithms of static analysis.
We show here that constructive GCs are isomorphic, in a precise and comprehensive meaning including sound abstract functions,
to so-called partitioning GCs — an already known class of GCs which allows to cast standard set partitions as an abstract domain.
Darais and Van Horn [2016] also provide a notion of constructive GC for posets, which we prove to be
isomorphic to plain GCs and therefore lose their constructive attribute.
Drawing on these findings,
we put forward and advocate the use of purely partitioning GCs, a novel
class of constructive abstract domains for a mechanized approach to abstract interpretation. We show that this class of abstract domains
allows us to represent a set partition with more flexibility while retaining a constructive approach to Galois connections.
1 Introduction
Abstract interpretation [3, 4] is probably the most used and successful technique for defining
approximations of program semantics (or, more in general, of computing systems) to be used for designing provably
sound static program analyzers.
Abstract domains play a crucial role in any abstract interpretation, since they encode, both logically for reasoning purposes
and practically for implementations,
which program properties are computed by a static analysis. Since its beginning [3],
one major insight of abstract interpretation is given by the use of Galois connections (GCs) for defining abstract domains. A specification
of an abstract domain D
through a Galois connection prescribes that: (1) both concrete and abstract domains, C and D, are
partially ordered, and typically they give rise to complete lattices; (2) definitions of abstraction α:C→D
and concretization γ:D→C maps to relate concrete and abstract values; (3) α and γ
give rise to an adjunction relation: α(c)≤Dd⇔c≤Cγ(d).
GCs carry both advantages and drawbacks. One major benefit is the so-called calculational style for defining
abstract operations [2, 14]: if f:C→C is any concrete operation involved by some semantic definition (e.g.,
integer addition or multiplication) then a corresponding
correct approximation on A is defined by
α∘f∘γ:A→A, which turns out to be the best possible approximation
of f on the abstract domain A and, as envisioned by Cousot [2],
allows to systematically derive abstract operations in a correct-by-design manner. On the negative side, GCs have two main weaknesses.
First, GCs formalize an ideal situation
where each concrete property in C has a unique best abstract approximation in D.
Some very useful and largely used abstract domains cannot be defined by a GC, being convex polyhedra a
prominent example of abstract domain where no abstraction map can be defined [7].
This problem motivated weaker abstract interpretation frameworks which
only need concretization maps [5]. Secondly, it turns out that abstraction maps of GCs cannot be mechanized [15, 17],
meaning that one cannot use automatic formal proof systems like Coq in order to extract certified algorithms of abstract interpretation,
e.g., based on best correct approximations α∘f∘γ. In other terms, the calculational approach of abstract
interpretation cannot be
automatized. Notably, Verasco [12, 13] (and its precursor described in [1])
is a static analyzer for C which has been formally
designed and verified using the Coq proof assistant, and is based on abstract interpretation using only concretization maps.
This latter motivation was one starting point of Darais and Van Horn [8] for investigating constructive versions
Galois connections, together with the observation that many useful abstract domains, even if defined by an abstraction
map, still would permit a mechanization of their soundness proofs. Also, Darais and Van Horn’s approach [8]
generalizes ‘Galculator’ [20], which is a proof assistant based on a given small algebra of Galois connections.
Constructive Galois connections (CGCs) [8] stem from the observation that for many commonly used abstract domains:
(1) the concrete domain is a powerset (or collecting) domain ℘(A) of an unordered carrier domain A;
(2) the abstraction map α:℘(A)→D is
actually defined as collecting lifting of a basic abstraction function η which is defined just on the carrier domain A and takes
values belonging to an unordered abstract domain B,
that is, η:A→B; (3) the concretization map μ:B→℘(A) provides meaning to basic abstract values ranging in B;
(4) the α/γ adjunction relation can be equivalently reformulated in terms of the following correspondence between η and μ:
[TABLE]
Moreover, CGCs allow to give
a soundness condition for pairs of concrete and abstract functions which are defined on carrier concrete and abstract domains A and B.
As a simple example taken from [8, Section 2], the standard toy parity abstraction for
integer variables can be defined as a CGC as follows. The carrier concrete domain is Z, the unordered parity
domain is
P={even,odd}, abstraction parity:Z→P and concretization μ:P→℘(Z) mappings are straightforwardly defined
and satisfy (CGC-Corr): z∈μ(a)⇔parity(z)=a. Also, a successor concrete operation
succ:Z→Z is approximated by a sound abstract successor succ♯:P→P such that
succ♯(even)=odd and succ♯(odd)=even.
Darais and Van Horn [8] also put forward a more general notion of constructive Galois connection for posets (CGP),
where the carrier concrete domain A and the abstract domain B are posets (rather than unordered sets), and where
the condition (CGC-Corr) is weakened to:
[TABLE]
This allows them to provide a constructive definition for ordered abstract domains like the sign abstraction of integer variables
Sign={∅,<0,=0,>0,≤0,=0,≥0,Z} which encodes approximation relations between its abstract values, e.g., the abstract value
≥0 approximates >0.
Contributions.
Our initial observation was that CGCs always encode a partition of the concrete carrier set A. As a simple example, for the above
parity domain P, the induced partition of Z obviously consists of two blocks: {z∈Z ∣ z even} and
{z∈Z ∣ z odd}. Furthermore, we also noticed that if an abstract domain D of a collecting domain
℘(A) does not induce an
underlying partition of A and D is defined through a standard Galois connection G then G cannot be
constructively and equivalently formulated by a CGC. Indeed, abstract domains which encode a partition of a given carrier set
have been previously studied and formalized as so-called partitioning Galois connections (PGCs). Intuitively,
a Galois connection defining a domain D which abstracts a concrete collecting domain ℘(A) is called
partitioning [6, 18] when D represents a partition P of the set A together with all the possible unions of blocks
in P. Our first contribution shows that CGCs are isomorphic to PGCs. This isomorphism is constructive, meaning that
we define two invertible transforms which map a CGC to an equivalent PGC and vice versa. Moreover, this isomorphism includes
soundness of
abstract operations, meaning that we also define invertible transforms of pairs of concrete/abstract operations which preserve their
soundness. Secondly, we also investigated Darais and Van Horn’s CGPs, in order to characterize them as a suitable class of Galois connections.
We show that CGPs actually amount to plain GCs of a powerdomain, and therefore CGPs are not able to isolate a specific
class of GCs. This is a negative finding: the generalization from CGCs to CGPs loses the constructive attribute of CGCs.
Drawing on these results, our third and most significant contribution is the definition of a novel class of
constructive Galois connections, called purely constructive GCs (PCGCs), which is more flexible than CGCs while retaining
a constructive approach to Galois connections. The basic idea underlying PCGCs is as follows.
CGCs essentially represent a partition of the carrier concrete domain
A through an abstract domain B. We showed that this partition representation in B implicitly
brings all the possible unions of its blocks.
We generalize this approach by allowing to select which unions of blocks to consider in the abstract domain B.
Hence, B may be defined as a partition P of A together with an explicit choice of unions of blocks of P,
where this selection may range from none to all. As an example, a sign abstraction like Sign−≜Sign∖{=0} cannot be formalized as a CGC, although Sign− still represents a partition of Z since Sign− just lacks
the union of blocks corresponding to the abstract value =0, that is, the union of <0 and >0.
In our framework, Sign− can be exactly defined as a PCGC. Moreover, PCGCs come together with a
definition of sound abstract operations, which also accomodates the standard notions of completeness commonly
used in abstract interpretation. This paper therefore advocates the use of PPGCs as a
suitable class of constructive abstract domains for a mechanized approach to abstract interpretation.
2 Background
Notation.
Let f:A→B, g:A→℘(B) and h:℘(A)→B, k:A→C, where A and B are sets and
C is a complete lattice with lub ∨. We then use the following definitions:
[TABLE]
Somewhere we use f(X) as an alternative notation for f⋄(X).
If A is a poset and X⊆A then ↓X≜{y∈A ∣∃x∈X.y≤x}, and, in turn,
℘↓(A)≜{X⊆A ∣ X=↓X} denotes the downward powerdomain of A,
which ordered by subset inclusion, is a complete lattice. We use ↓a as a shorthand for ↓{a}.
Recall that any set A can be viewed as poset w.r.t. the so-called discrete partial order ≤:
for all x,y∈A, x≤y iff x=y.
Let us also recall that P⊆℘(A) is a partition of A when: B∈P⇒B=∅; if B1,B2∈P and B1=B2 then
B1∩B2=∅; ∪B∈PB=A.
Galois connections.
Recall that G=⟨α,C,D,γ⟩ is a Galois connection (GC)
when C and D are posets, α:C→D, γ:D→C and
α(c)≤Dd⇔c≤Cγ(d). By following a standard terminology in abstract interpretation, C and D are
called concrete and abstract domains, while α and γ are called abstraction and concretization maps.
G is a disjunctive GC when γ is additive (intuitively meaning that it abstractly
represents logical disjunctions with no loss of precision).
G is a Galois insertion (GI) when α is surjective (or, equivalently, γ is injective).
Let us recall some standard definitions and terminology of abstract interpretation [3, 4].
Let f:C→C and f♯:D→D be, respectively, concrete and abstract functions.
The pair ⟨f,f♯⟩G is sound (w.r.t. G) when α∘f∘γ⊑f♯,
or, equivalently, α∘f⊑f♯∘α. Also, the pair ⟨f,f♯⟩G is optimal when α∘f∘γ=f♯,
backward complete when α∘f=f♯∘α, forward complete when
f∘γ=γ∘f♯, precise when f=γ∘f♯∘α.
The abstract function
fG≜α∘f∘γ is called the best correct approximation (BCA) of f induced by G.
Let G1=⟨α1,C,D1,γ1⟩ and G2=⟨α2,C,D2,γ2⟩ be two GCs with a common
concrete domain C. G1 is more precise than G2,
denoted by G1⊑G2, when γ2(α2(C))⊆γ1(α1(C)). In turn,
G1 and G2
are isomorphic when G1⊑G2 and G2⊑G1, i.e., when
γ1(α1(C))=γ2(α2(C)) holds. The intuition is that G1 and G2
abstractly encode the same properties of C
up to a renaming of the abstract values in Di.
If f1♯:D1→D1 and f2♯:D2→D2 are two abstract functions for f:C→C then
f1♯ is called isomorphic to f2♯ when γ1∘f1♯∘α1=γ2∘f2♯∘α2.
3 Constructive Galois Connections
Constructive Galois connections (CGCs) have been defined
by Darais and Van Horn [8, Section 3] to provide a Galois connection-like correspondence between
sets rather than posets:
⟨η,A,B,μ⟩CGC is a CGC when A and B are sets, and
η:A→B, μ:B→℘(A) satisfy the following equivalence
[TABLE]
The intuition is that A is a carrier set of the concrete powerset domain,
B is an unordered abstract domain, η is a representation function for concrete singletons {a}
while μ is a concretization function, which give rise to a sort of unordered adjunction relation.
CGCs have the following properties.
Lemma 3.1** (CGC properties).**
Consider a CGC ⟨η,A,B,μ⟩.
η(a1)=η(a2)⇔μ(η(a1))=μ(η(a2))⇔μ(η(a1))∩μ(η(a2))=∅**
μ(b)=∅⇔b∈η(A)**
As a consequence, we have that {μ(η(a))}a∈A are the blocks of
a partition of A, because A=∪a∈Aμ(η(a)) and
if μ(η(a1))=μ(η(a2)) then μ(η(a1))∩μ(η(a2))=∅.
Darais and Van Horn [8, Section 3.1] also define constructive Galois connections for posets (CGPs) as follows.
⟨η,A,B,μ⟩ is a CGP when ⟨A,≤A⟩ and ⟨B,≤B⟩
are posets (so that ℘↓(A)⊆ is a complete lattice),
η:A→B and μ:B→℘↓(A) are monotone and the following equivalence holds:
[TABLE]
Hence, in CGP-Corr ≤B replaces = of CGC-Corr. We focus on the following properties of CGPs.
Lemma 3.2** (CGP properties).**
Consider a CGP ⟨η,A,B,μ⟩.
η(a1)=η(a2)⇔μ(η(a1))=μ(η(a2))**
μ(b)=∅⇔↓b∩η(A)=∅**
If B is a complete lattice then ⟨η∨,℘↓(A),B,μ⟩ is a GC
μ(B)=μ(η∨(℘↓(A)))**
Example 3.3**.**
Consider Z with the discrete partial order, so that ℘↓(Z)=℘(Z),
B≜{+,⊤} with ordering +≤⊤,
η:Z→B be defined by η(x)≜ifx>0then+else⊤ and μ:Z→℘(Z) be defined
by μ(+)=Z>0 and μ(⊤)=Z. It turns out that ⟨η,Z,B,μ⟩ is not a CGC, because 1∈μ(⊤)
while +=η(1)=⊤. Instead, +=η(1)≤⊤ holds, and indeed this is a CGP. Notice that {μ(η(z)) ∣ z∈Z}={Z>0,Z} is not a partition of Z. Besides,
if B′={−,0,+,⊥}, β:Z→B′ encodes the sign of an integer, and δ:B′→℘(Z) is defined by:
δ(−)=Z<0, δ(0)={0}, δ(+)=Z>0, δ(⊥)=∅, then ⟨β,Z,B′,δ⟩ is clearly
a CGC.
∎
In the following we will need to compare CGCs with a common concrete carrier set.
Thus, consider two
CGCs C1=⟨η1,A,B1,μ1⟩ and C2=⟨η2,A,B2,μ2⟩.
Then, C1 is defined to be more precise than C2 (or, C2 is more abstract than C1)
when μ2(B2)⊆μ1(B1), and this is denoted by C1⊑C2.
Also, C1 and C2 are
isomorphic when C1⊑C2 and C2⊑C1, i.e., when
μ1(B1)=μ2(B2), and this is denoted by
C1≅C2. The intuition is that two CGCs
are isomorphic when they represent the same abstraction μi(Bi) of ℘(A)
up to a renaming of the abstract values.
This notion of isomorphism is justified by the following result, where f1,2 and f2,1 play the role
of renaming functions for abstract values.
Lemma 3.4** (CGC Isomorphism).**
Consider C1=⟨η1,A,B1,μ1⟩ and C2=⟨η2,A,B2,μ2⟩ CGCs. Then,
C1≅C2 iff there exist f1,2:η1(A)→η2(A) and
f2,1:η2(A)→η1(A)
such that f1,2∘f2,1=id=f2,1∘f1,2, μ1∘η1=μ2∘f1,2∘η1
and μ2∘η2=μ1∘f2,1∘η2.
We also define a notion of nonempty isomorphism ≅∅
which does not take into account possible empty sets in μ(Bi):
⟨η1,A,B1,μ1⟩≅∅⟨η2,A,B2,μ2⟩ when
μ1(B1)∪{∅}=μ2(B2)∪{∅}. This is justified by the observation
that for any CGC ⟨η,A,B,μ⟩, we have that
⟨η,A,B,μ⟩≅∅⟨η,A,η(A),μ⟩, because, by Lemma 3.2 (2),
all the abstract values in B∖η(A) represent the empty set.
These can therefore be viewed as “useless” abstract values and lead to a notion of constructive Galois
insertion (CGI) which is the analogue of GI: ⟨η,A,B,μ⟩ is a CGI when it is a CGC and η is surjective.
4 Partitioning Galois Connections
Partitioning Galois connections/insertions (PGCs/PGIs)
have been introduced in [6, Section 5]: given a partition P of a set A,
any subset X∈℘(A) is over-approximated by the unique minimal cover of X through blocks in P. PGCs have
been studied and used in [18, 19] for generalizing strong preservation of temporal logics in model checking.
Let G=⟨α,℘(A)⊆,D≤,γ⟩ be a Galois connection,
where A is any carrier set and D is a poset, and let prt(G)≜{γ(α({a}))}a∈A.
G is called a
partitioning Galois connection when: (1) prt(G)
is a partition of A; (2) γ is additive, i.e., γ preserves arbitrary lub’s.
The main feature of a PGC is that any abstract value d represents a union of blocks of the partition prt(G),
namely γ(d)=∪a∈γ(d)γ(α({a})), and, vice versa, for any set of blocks
{γ(α({a})) ∣ a∈S} of the partition prt(G),
for some S∈℘(A), there exists d∈A such that γ(d)=∪{γ(α({a})) ∣ a∈S}, where d=α(S).
In other terms, the abstract domain D is a representation of
all the possible unions of blocks in prt(G). Although this is the standard definition of PGC, instead of representing
all the possible unions of blocks of a partition, one could equivalently represent no union of blocks at all:
this means that the condition (2) of PGCs of having an additive concretization map γ could be replaced by (2′):
if x,y∈D and x,y are uncomparable then γ(x∨Dy)=A. Hence, if
α({a1}) and α({a2}) represent in D two different blocks then their lub represent no information at all
(i.e., γ(α({a1,a2}))=A).
It turns out that the notion of CGC is completely equivalent to that of PGC, in the following precise meaning
based on a pair of invertible transforms of CGCs and PGCs.
Theorem 4.1** (CGC-PGC Equivalence).**
If
C=⟨η,A,B,μ⟩ is a CGC then TPGC(C) ≜⟨η⋄,℘(A)⊆,℘(B)⊆,μ∗⟩ is a PGC.
If G=⟨α,℘(A)⊆,D≤,γ⟩ is a PGC then
TCGC(G) ≜⟨α{⋅},A,{α({a}) ∣ a∈A},γ⟩
is a CGC.
The transforms TPGC and TCGC
are one the inverse of the other, up to nonempty
isomorphism.
Example 4.2**.**
Consider the standard abstract domain for sign analysis as encoded by the GI
S=⟨α,℘(Z),Sign,γ⟩, where Sign is the following lattice:
\mathbb{Z}$$\geq 0$$\neq 0$$\leq 0$$>0$$<0$$=0$$\varnothing
while abstraction and concretization maps are defined as usual. Let us observe that S is indeed
a PGC (more precisely, a PGI), where prt(S)={Z<0,Z=0,Z>0}.
Then, TCGC(S) provides a CGC which is nonempty isomorphic to the
CGC C=⟨β,Z,B′,δ⟩ of Example 3.3: these two CGCs only differ
for the element ⊥∈B′ whose meaning is ∅=δ(⊥).
Conversely, TPGC(C)
is a PGC which is isomorphic to the PGI S: ℘(B′) is the abstract domain of TPGC(C), so that,
since B′ includes the “useless” value ⊥, we obtain a PGC rather than a PGI, because its concretization map δ∗
is not injective, e.g., δ∗({⊥,+})=δ∗({⊥}).
∎
Furthermore, it turns out that the CGC/PGC transforms of Theorem 4.1 preserve the
relative precision relations as follows.
Corollary 4.3**.**
If C1 and C2 are CGCs then
C1⊑C2 iff TPGC(C1) ⊑ TPGC(C2).
As a consequence, one can define a lattice of CGCs, ordered w.r.t. their relative precision
up to isomorphism, which is order-theoretically isomorphic to the
so-called lattice of partitioning abstract domains [19, Theorem 3.2].
Let us also recall that [8] also put forward a definition of
Kleisli Galois connection (KGC) between posets, which relies on a “monadic” notion
of abstraction/concretization maps. Actually, this class of constructive abstractions is shown
in [8, Section 6]
to be equivalent to CGCs, where this isomorphism includes the notion of soundness (and optimality) for
abstract functions. Hence, we do not need to replicate our isomorphism between KGCs and PGCs, which automatically
follows.
CGCs as Least Disjunctive Bases.
Given a CGC
C=⟨η,A,B,μ⟩,
Theorem 4.1 shows that
TPGC(C)=⟨η⋄,℘(A)⊆,℘(B)⊆,μ∗⟩ is a PGC.
We observe that {{x} ∣ x∈B} is the set of join-irreducible elements of the complete lattice ℘(B)⊆ — recall
that an element x of a complete lattice is join-irreducible when, for any S, x=∨S⇒x∈S.
In abstract interpretation terms [9], this observation
means that {{x} ∣ x∈B} can be essentially viewed
as the so-called least disjunctive basis of the partitioning abstract domain ℘(B)⊆.
Least disjunctive basis have been introduced in [9] as an inverse operation
to the disjunctive completion of abstract domains, that is, the least disjunctive refinement of an abstract domain D.
Given an abstract domain D, its least disjunctive basis
is defined to be the most abstract domain having the same disjunctive completion as D. Hence, the least disjunctive basis
of D reveals and therefore removes all the disjunctive information inside D.
A concrete domain which is a powerset (ordered by subset inclusion) satisfies the hypotheses
of [9, Theorem 4.13], so that the least disjuctive basis of an abstract domain D exists and is
characterized as the closure under arbitrary meets of the join-irreducible elements of D. This result can be applied
to the abstract domain ℘(B)⊆ of the PGC TPGC(C), whose least disjunctive basis
is given by the meet-closure of {{x} ∣ x∈B}, where this meet-closure simply adds ∅ and B.
In this sense, this section systematically reconstructed the notion of CGC as least disjunctive basis of a partitioning abstract domain.
Constructive Closure Operators.
In abstract interpretation, abstract domains up to renaming of
abstract values are encoded by closure operators, which are isomorphic to GCs [4].
Hence, the isomorphism between CGCs and PGCs in Theorem 4.1 leads to the
following notion. Given any set A,
a map φ:A→℘(A) is a constructive closure operator (CCO) when the following condition holds:
x∈φ(y)⇔φ(x)=φ(y).
CCOs turn out to be the closure operator counterpart of CGCs, as shown by the following result.
Corollary 4.4** (CGC-CCO Equivalence).**
If C=⟨η,A,B,μ⟩ is a CGC then TCCO (C)≜μ∘η:A→℘(A) is a CCO.
If φ:A→℘(A) is a CCO then TCGC (φ)≜⟨φ,A,{φ(a) ∣ a∈A},id⟩ is a CGC.
The transforms TCCO and TCGC are one the inverse of the other, up to nonempty
isomorphism.
4.1 Characterization of CGPs
Let us now focus on CGPs. Can this class of constructive abstractions be characterized in terms of Galois connections?
Let the carrier concrete set A be a poset,
the abstract domain B be a complete lattice,
η:A→B and μ:B→℘↓(A) be monotone.
By relying on CGPs/GCs transforms, we show that the class of CGPs turns out to be isomorphic to the class of GCs
of the concrete powerdomain ℘↓(A).
Theorem 4.5** (CGP-GC Equivalence).**
If
C=⟨η,A,B,μ⟩ is a CGP then
TGC(C)≜⟨η∨,℘↓(A)⊆,B,μ⟩ is a GC.
If G=⟨α,℘↓(A)⊆,D≤,γ⟩ is a GC then
TCGP(G)≜⟨λa.α(↓{a}),A,D,γ⟩
is a CGP.
The transforms TGC and TCGP
are one the inverse of the other, up to isomorphism between GCs.
Otherwise stated, this result shows that CGPs, specifically defined for adapting
CGCs to carrier sets which are posets, indeed boil down to plain GCs of the powerdomain ℘↓(A), and
therefore lose their constructive attribute.
Example 4.6**.**
Consider the following lattice D of integer intervals ordered by subset inclusion:
\mathbb{Z}$$[-9,+\infty)$$[-7,7]$$[1,5]$$[-5,-1]$$\varnothing
By considering Z as discretely ordered, this lattice D gives rise to a GI G=⟨α,℘(Z),D,γ⟩
where γ is the identity and, for example, we have that α({2})=[1,5], α({0})=α({6})=[−7,7], α({10})=[−9,+∞),
α({−10})=Z. Then, by Theorem 4.5 (2),
TCGP(G)=⟨λz.α({z}),Z,D,γ⟩ is a CGP. Ler us remark that the GI G
is neither partitioning
nor disjunctive, so that the intuition is that the CGP TCGP(G) should not be considered as being “constructive”.
As a limit infinite example, consider the complete lattice E≜{[0,n] ∣ n∈N}∪{N}, ordered
by subset inclusion, which is an infinite increasing chain of intervals of natural numbers. This complete lattice gives rise to a
GI E=⟨α,℘(N),E,γ⟩ where N is discretely ordered and
γ is the identity. Here, Theorem 4.5 (2) yields a legal CGP
TCGP(E)=⟨η,N,E,id⟩ where η(n)=[0,n] and whose constructive trait can hardly be
identifiable.
∎
5 Soundness of Abstract Operations
Our next objective is to transform a sound pair of functions from CGCs to PGCs and vice versa, in order to show
that the equivalence between CGCs and PGCs also include soudness (and further optimality conditions)
of abstract functions. For notational simplicity, we consider unary functions, but the whole approach can be
straighforwardly generalized to generic n-ary functions (that we will use in some examples).
Let C=⟨η,A,B,μ⟩ be a CGC, f:A→A be a concrete function and f♯:B→B be
a corresponding abstract function. Let us recall that Darais and Van Horn [8]
provide four equivalent soudness conditions for ⟨f,f♯⟩ to be sound w.r.t. C:
[TABLE]
On the one hand, on the transformed
PGC TPGC(C)=⟨η⋄,℘(A)⊆,℘(B)⊆,μ∗⟩,
we simply the powerset lifting of concrete and abstract functions, namely, we define
TPGC(⟨f,f♯⟩)≜⟨f⋄,f♯⋄⟩, where
f⋄:℘(A)→℘(A) and f♯⋄:℘(B)→℘(B).
On the other hand, let G=⟨α,℘(A)⊆,D≤,γ⟩ be a PGC. On PGCs, we consider
concrete functions on ℘(A) which are defined as
collecting version of a mapping g:A→A on the carrier set A, that is, g⋄:℘(A)→℘(A) will be our
concrete function.
A corresponding monotone
abstract function g♯:D→D is called
block-preserving when g♯ maps (abstract representations of) blocks
to (abstract representations of) blocks, namely, when the following condition holds:
∀a∈A.∃a′∈A.g♯(α({a}))=α({a′}).
Lemma 5.1**.**
If G is a PGI, ⟨g⋄,g♯⟩ is sound and g♯ is block-preserving then, for any a∈A,
g♯(α({a}))=α({g(a)}) and
g⋄(γ(α({a})))⊆γ(α({g(a)})).
Thus, given a
sound pair ⟨g⋄,g♯⟩ w.r.t. G where g♯ is block preserving,
on the transformed CGC TCGC(G)=⟨α{⋅},A,{α({a}) ∣ a∈A},γ⟩
we
consider the carrier concrete function g:A→A and the following restriction of the abstract function g♯ to
abstract representations of blocks:
g♯r:{α({a}) ∣ a∈A}→{α({a}) ∣ a∈A} which, by Lemma 5.1, can be defined
as g♯r(α({a}))≜α({g(a)}). We denote this transform by
TCGC(⟨g⋄,g♯⟩)≜⟨g,g♯r⟩.
Given two CGCs Ci=⟨ηi,A,Bi,μi⟩, i=1,2, a concrete function f:A→A and two corresponding
abstract functions fi♯:Bi→Bi, we use the notation
⟨f,f1♯⟩≅⟨f,f2♯⟩ to mean that fi is sound for f w.r.t. Ci and
μ1∘f1♯∘η1=μ2∘f2♯∘η2, that is,
the concrete projections of f1♯ and f2♯ coincide so that these functions can be viewed as
isomorphic. With this notion, our correspondance between CGCs and PGCs can be extended to include soundness
as follows.
Theorem 5.2**.**
Let C=⟨η,A,B,μ⟩ be a CGC, f:A→A and f♯:B→B. Then,
⟨f,f♯⟩ is sound iff TPGC(⟨f,f♯⟩) is sound
w.r.t. TPGC(C).
Let G=⟨α,℘(A)⊆,D≤,γ⟩ be a PGC,
g⋄:℘(A)→℘(A), for some g:A→A, and
g♯:D→D be monotone and block-preserving. Then,
⟨g⋄,g♯⟩ is sound iff TCGC(⟨g⋄,g♯⟩) is sound
w.r.t. TCGC(G).
If ⟨f,f♯⟩ is sound then TCGC(TPGC(⟨f,f♯⟩))
≅⟨f,f♯⟩.
If ⟨g⋄,g♯⟩ is sound and g♯ is block-preserving and additive then
TPGC(TCGC(⟨g⋄,g♯⟩)) ≅⟨g⋄,g♯⟩.
Example 5.3**.**
Consider the PGI S=⟨α,℘(Z),Sign,γ⟩ for the standard sign domain introduced in
Example 4.2. Consider the square operation sq:Z→Z such that sq(z)=z2 and its collecting
lifting sq⋄:℘(Z)→℘(Z). Correspondingly, consider sqS:Sign→Sign defined
as BCA of sq⋄, namely:
[TABLE]
Then, let us observe that sqS is (monotone and) block-preserving: indeed, the set of (abstract) blocks is
B={<0,=0,>0} and sqS maps blocks to blocks.
Hence, here we have that
TCGC(S)=⟨η,Z,B,μ⟩ and TCGC(⟨sq⋄,sqS⟩)=⟨sq,sqSr⟩ where
sqSr:Z→Z is such that
sqSr(α({z}))=α({sq(z)}).
∎
Completeness.
As observed in [8], the above four equivalent soundness conditions for CGCs
lead to four non-equivalent conditions of completeness for abstract functions, where ⇔ replaces ⇒:
[TABLE]
It is worth remarking that these completeness conditions for a pair
⟨f,f♯⟩ can be equivalently stated using well known optimality/completeness conditions
for Galois connections for the transformed pair TPGC(⟨f,f♯⟩).
Lemma 5.4**.**
⟨f,f♯⟩* satisfies (CGC-Cmp/ημ) iff
TPGC(⟨f,f♯⟩) is best correct approximation w.r.t. TPGC(C).*
⟨f,f♯⟩* satisfies (CGC-Cmp/μμ) iff
TPGC(⟨f,f♯⟩) is forward complete w.r.t. TPGC(C).*
⟨f,f♯⟩* satisfies (CGC-Cmp/ηη) iff
TPGC(⟨f,f♯⟩) is backward complete w.r.t. TPGC(C).*
⟨f,f♯⟩* satisfies (CGC-Cmp/μη) iff
TPGC(⟨f,f♯⟩) is precise w.r.t. TPGC(C).*
6 Purely Partitioning Galois Connections
Drawing on the above results,
we define a novel
class of constructive abstract domains, which we call purely constructive Galois connections (PCGCs).
The idea is that PCGCs generalize CGCs as follows.
CGCs essentially represent a partition of the carrier concrete domain
A as an abstract domain B. We showed that this partition representation also brings all the possible unions of its blocks.
The goal is to generalize this approach by allowing to decide which unions of blocks to consider in the abstract domain B.
Hence, B may be defined as a partition P of A together with an explicit selection of unions of blocks of P,
where this selection may range from none to all.
A purely constructive Galois connection (PCGC) ⟨η,A,B,μ⟩PCGC
consists of an unordered concrete carrier
set A and of an ordered abstract domain which is required to be a poset ⟨B,≤⟩,
together with the
mappings
η:A→B and μ:B→℘(A) which satify the following two conditions:
[TABLE]
Thus, condition (2) coincides with (CGP-Corr), while condition (1) amounts to (CGC-Corr) restricted to abstract values
ranging in η(A). PCGCs have the following properties.
Lemma 6.1** (PCGC properties).**
Consider a PCGC ⟨η,A,B≤,μ⟩.
η(a1)=η(a2)⇔μ(η(a1))=μ(η(a2))⇔μ(η(a1))∩μ(η(a2))=∅**
μ(b)=∅⇒b∈η(A), while the viceversa does not hold
If B is a complete lattice then ⟨η∨,℘(A)⊆,B≤,μ⟩ is a GC
In particular, let us remark that: by Lemma 6.1 (1), {μ(η(a))}a∈A still is a partition of A;
by Lemma 6.1 (2), differently from CGCs, if b∈η(A) it may happen that μ(b)=∅;
by Lemma 6.1 (3), analogously to CGPs, η∨ and μ give rise to a GC.
Example 6.2**.**
Consider the following finite lattice B of integer intervals ordered by subset inclusion:
\mathbb{Z}$$[-9,+\infty)$$(-\infty,9]$$[-9,9]$$[10,+\infty)$$[1,9]$$[0,0]$$[-9,-1]$$(-\infty,-10]$$\varnothing
Let η:Z→B be defined as follows:
[TABLE]
while μ:B→℘(Z) is simply defined as the identity map.
Then, it is simple to check that P=⟨η,Z,B,μ⟩ is a PCGC.
However, it turns out that
P is not a CGC: in fact, 0∈μ([−9,9]) while η(0)=[0,0]=[−9,9]. Also, if Z is
considered as a poset w.r.t. the discrete order then ℘↓(Z)=℘(Z) and
η and μ are monotone, so that, by PCGC (2), P is a CGP.
Consider now B′≜(B∖{[−9,9],(−∞,9],[−9,+∞)})∪{[−10,10]}, which
still is a finite lattice
where
[−10,10] is the lub in B′ of {[−9,−1],[0,0],[1,9]},
although [−10,10] is not the union of these blocks.
In this case, ⟨η,Z,B′,μ⟩
is not a PCGC, because 10∈μ([−10,10]) but η(10)=[10,+∞)⊆[−10,10], so that
PCGC (2) does not hold. Finally, consider the CGC C=⟨η,Z,B,μ⟩ defined in Example 3.3.
Then, C is not a PCGC because 1∈μ(η(0))=Z but +=η(1)=η(0)=⊤.
∎
Similarly to Theorems 4.1 and 4.5, let us now characteriza PCGCs as a class of Galois connections.
Recall that a GC G=⟨α,℘(A)⊆,D≤,γ⟩ is a PGC when prt(G) is a partition of A
and γ is additive. By dropping this latter requirement of additivity for γ, we
define G to be a
purely partitioning Galois connection (PPGC) just when prt(G) is a partition of A.
The terminology “purely partitioning” hints at the property (which is not hard to check)
that the disjunctive completion of D indeed yields a partitioning
Galois connection. It turns out that this class of GCs characterize PCGCs as follows.
Theorem 6.3** (PCGC-PPGC Equivalence).**
If B≤ is a complete lattice and
C=⟨η,A,B≤,μ⟩ is a PCGC then TPPGC(C) ≜⟨η∨,℘(A)⊆,B≤,μ⟩ is a PPGC.
If G=⟨α,℘(A)⊆,D≤,γ⟩ is a PPGC then
TPCGC(G) ≜⟨α{⋅},A,D≤,γ⟩
is a PCGC.
The transforms TPPGC and TPCGC
are one the inverse of the other, up to
isomorphism.
Example 6.4**.**
Consider the PCGC P defined in Example 6.2, so that TPPGC(P)=⟨η∨,℘(Z)⊆,B≤,id⟩
is a PPGC where the corresponding partition of Z is P={(−∞,10],[−9,−1], [0,0],[1,9],[10,+∞)} and
the abstraction map η∨ approximates a set of integers X∈℘(Z) by the least union of blocks of P which belongs to
B: for example, η∨({1,10})=[−9,+∞) and η∨({0,1})=[−9,9]. ∎
CGCs as PCGCs as CGPs.
It turns out that any CGC is indeed a PCGC, which, in turn, is a CGP.
Let ⟨η,A,B,μ⟩ be a CGC.
Firstly, it is enough to consider B as a poset for the discrete partial order ≤, since
this makes ⟨η,A,B≤,μ⟩ a PCGC. In fact: (1) a∈μ(η(a′)) iff, by (CGC-Corr),
η(a)=η(a′); (2) if b∈η(A) then b=η(a′), for some a′, so that, by (CGC-Corr),
a∈μ(b)⇔η(a)=b, while if b∈η(A), then, by Lemma 3.1 (2), μ(b)=∅.
Furthermore, any PCGC ⟨η,A,B≤,μ⟩ can be viewed as a CGP simply by making the concrete carrier set
A a poset for the discrete order, so that ℘↓(A)=℘(A), and η becomes trivially monotone as well as
μ:B→℘(A): in fact, if b1≤b2 and a∈μ(b1) then η(a)≤b1≤b2, so that a∈μ(b2).
6.1 Soundness of Abstract Operations
Let C=⟨η,A,B≤,μ⟩ be a PCGC and f:A→A be a concrete function.
By relying on Theorem 6.3 (1), we are able to define the BCA of the lifted function
f⋄:℘(A)→℘(A)
w.r.t. the PPGC ⟨η∨,℘(A)⊆,B≤,μ⟩=TPPGC(C). This is denoted by
fC:B→B and is therefore defined by fC≜η∨∘f⋄∘μ, so that:
[TABLE]
Hence, given an abstract function f♯:B→B, this BCA leads us to define
⟨f,f♯⟩ to be sound for C when f♯ is less precise than the BCA, that is, when for any b∈B,
fC(b)≤f♯(b).
This turns out to be equivalent to the following condition: ⟨f,f♯⟩ is sound w.r.t. C iff
[TABLE]
It is then easy to transform a sound pair of concrete/abstract functions
⟨f,f♯⟩ for a PCGC C into the pair TPPGC(⟨f,f♯⟩)≜⟨f⋄,f♯⟩
for the corresponding PPGC TPPGC(C)=⟨η∨,℘(A)⊆,B≤,μ⟩.
Conversely, if D=⟨α,℘(A)⊆,D≤,γ⟩ is a PPGC and
⟨g⋄,g♯⟩ is a sound pair for D, where
g⋄:℘(A)→℘(A) for some g:A→A, then
⟨g⋄,g♯⟩ is transformed into TPCGC(⟨g⋄,g♯⟩)≜⟨g,g♯⟩
relatively to the PCGC TPCGC(D). A result analogous to Theorem 5.2 can then be proved.
Theorem 6.5**.**
Let C=⟨η,A,B≤,μ⟩ be a PCGC, with B complete lattice,
f:A→A and f♯:B→B.
Then,
⟨f,f♯⟩ is sound iff TPPGC(⟨f,f♯⟩) is sound
w.r.t. TPPGC(C).
Let D=⟨α,℘(A)⊆,D≤,γ⟩ be a PPGC,
g⋄:℘(A)→℘(A), for some g:A→A, and
g♯:D→D. Then,
⟨g⋄,g♯⟩ is sound iff TPCGC(⟨g⋄,g♯⟩) is sound
w.r.t. TPCGC(D).
The transforms TPPGC and TPCGC are one the inverse of the other.
Since f♯ is defined to be sound when η∨∘f⋄∘μ≤f♯, it is then natural to define
f♯ optimal when η∨∘f⋄∘μ=f♯, backward complete when
η∨∘f⋄=f♯∘η∨ and forward complete when
f⋄∘μ=μ∘f♯.
In particular, these definitions allow us
to apply the abstraction refinement operators introduced in [11] for minimally refining the abstract domain
B in order to obtain a backward/forward complete abstract function and the technique introduced in [10] for
simplifying abstract domains while retaining the optimality of abstract operations.
6.2 An Example of PCGC
Consider the following infinite complete lattice B≤.
\mathbb{Z}$$\geq 0$$\neq 0$$\leq 0$$>0$$<0$$2$$1[math]-1$$-2$$\cdots$$\cdots$$\cdots$$\cdots$$\cdots$$\cdots$$\varnothing
B is intended to be an abstract domain which includes both constant and sign information of an integer variable.
Indeed B can be defined as reduced product of the standard constant propagation domain [16] and of the sign abstraction
in Example 4.2.
For example, for a while program such as:
[TABLE]
a standard analysis with this abstract domain B allows us to derive the loop invariant {x>0,y=2}.
It turns out that the abstraction B can be constructively defined. This definition of B relies on η:Z→B and μ:B→℘(Z) which are essentially defined
as identity functions. It should be clear that B is a purely partitioning domain, while it is not a fully
partitioning domain, and therefore B cannot be equivalently defined within the constructive Galois connection approach.
In fact, C=⟨η,Z,B,μ⟩ is not a CGC, because
1∈μ(>0) while 1=η(1)=>0.
Instead, C turns out to be a PCGC.
Next, consider the concrete binary integer multiplication ⊗:Z×Z→Z. By following
Theorem 6.5 (1), we define a corresponding abstract
multiplication ⊗♯:B×B→B as follows:
[TABLE]
Namely, ⊗♯ is the best correct approximation of the powerset lifting
⊗⋄:℘(Z)×℘(Z)→℘(Z) w.r.t. the PPGC
⟨η∨,℘(Z)⊆,B≤,μ⟩=TPPGC(C). For instance,
⊗♯(2,<0)=<0 and ⊗♯(−2,≤0)=≥0. Then,
since ⟨⊗⋄,⊗♯⟩ is sound, by construction, for TPPGC(C), we have that
⟨⊗,⊗♯⟩
is sound for C. Furthermore, as expected, it turns out that ⊗♯ is backward complete for C, meaning
that for any X,Y∈℘(Z), ∨B{x⊗y ∣ x∈X,y∈Y}=⊗♯(∨BX,∨BY).
For instance, we have that:
[TABLE]
7 Conclusion
This paper showed that constructive Galois connections, proposed by Darais and Van Horn [8]
as a way to define domains to be used in a mechanized and calculational style of abstract interpretation,
are isomorphic to an already known class of Galois connections
which formalize partitions of an unordered set as an abstract domain. Building on that,
we defined a novel
class of constructive abstract domains for a mechanized approach to abstract interpretation, called purely constructive
Galois connections. We showed that this class of abstract domains
permits to represent a set partition with more flexibility while preserving a constructive approach to Galois connections.
Appendix A Proofs
See 3.1
Proof.
Firstly, let us observe that for any a∈A, a∈μ(η(a)).
(1) If μ(η(a1))=μ(η(a2)) then a1∈μ(η(a1))=μ(η(a2)) so that, by (CGC-Corr),
η(a1)=η(a2). Next, we show that
μ(η(a1))=μ(η(a2))⇔∃a∈A.a∈μ(η(a1))∩μ(η(a2)):
on the one hand, since a1∈μ(η(a1)) then a1∈μ(η(a2)); on the other hand, if
a∈μ(η(a1))∩μ(η(a2)), then, by (CGC-Corr), η(a1)=η(a)=η(a2), so that μ(η(a1))=μ(η(a2)).
(2) Let us check that μ(b)=∅⇔b∈η(A):
there exists a∈μ(b) iff, by (CGC-Corr), there exists a∈A such that
η(a)=η(b) iff b∈η(A).
∎
See 3.2
Proof.
(1) If μ(η(a1))=μ(η(a2)) then a1∈μ(η(a2)) and a2∈μ(η(a1)),
so that, by (CGP-Corr),
η(a1)≤Bη(a2)≤η(a1).
(2) If a∈μ(b) then, by (CGP-Corr), η(a)≤Bb, so that η(a)∈↓b∩η(A).
Conversely, if b′∈↓b∩η(A) then b′=η(a′)≤Bb, for some a′∈A, so
that, by (CGP-Corr), a′∈μ(b).
(3) Let us check that for all X∈℘↓(A) and b∈B,
η∨(X)≤Bb⇔X⊆μ(b): η∨(X)≤Bb iff ∨a∈Xη(a)≤Bb iff
∀a∈X.η(a)≤Bb iff ∀a∈X.a∈μ(b) iff X⊆μ(b).
(4) Since, by (3), ⟨η∨,℘↓(A),B,μ⟩ is a GC, we have that
μ=μ∘η∨∘μ, so that μ(B)=μ(η∨(℘↓(A))) follows.
∎
See 3.4
Proof.
(⇒) For any a∈A, we have that μ1(η1(a))∈μ2(B2), so that μ1(η1(a))=μ2(b2) for some b2∈B2. Then, since a∈μ2(b2), by Lemma 3.1 (2),
b2∈η2(A), so that there exists some xa2∈A such that b2=η2(xa2)
and, in turn, μ1(η1(a))=μ2(η2(xa2)).
We define
f1,2(η1(a))≜η2(xa2).
Dually, for any a∈A there exists xa1∈A such that μ2(η2(a))=μ1(η1(xa1)),
so that we define
f2,1(η2(a))≜η1(xa1).
Thus, we have that for any a∈A,
μ1(η1(a))=μ2(η2(xa2))=μ1(η1(xxa21)), so that,
by Lemma 3.1 (1), η1(a)=η1(xxa21). Dually,
η2(a)=η1(xxa12).
Hence, it turns out that
f1,2(f2,1(η2(a)))=f1,2(η1(xa1))=η2(xxa12)=η2(a) and
f2,1(f1,2(η1(a)))=f2,1(η2(xa2))=η1(xxa21)=η1(a).
Moreover,
μ1(η1(a))=μ2(η2(xa2))=μ2(f1,2(η1(a))) and
μ2(η2(a))=μ1(η1(xa2))=μ1(f2,1(η2(a))).
(⇐) If x∈μ1(B1) then x∈μ1(b1), for some b1∈B1, so that,
by Lemma 3.1 (2), b1=η1(a) and x∈μ1(η1(a)) for some a∈A. Thus,
x∈μ1(η1(a))=μ2(f1,2(η1(a))), namely, x∈μ2(B2). Dually, μ2(B2)⊆μ1(B1).
∎
See 4.1
Proof.
(1) In order to have a GC, it must be that for any X∈℘(A), Y∈℘(B),
η⋄(X)⊆Y⇔X⊆μ∗(Y).
From left to right: if a∈X then η(a)∈Y, so that, since a∈μ(η(a)), we have that a∈μ∗(Y). From right to left:
if b∈η⋄(X) then b=η(a) for some a∈X, so that, since a∈μ∗(Y),
we have that a∈μ(b′) for some b′∈Y, therefore b=η(a)=b′, so that b∈Y.
Let us notice that μ∗ is clearly disjunctive: μ∗(∪iYi)=∪iμ∗(Yi).
Finally, {μ∗(η⋄({a})) ∣ a∈A}={μ∗({η(a)}) ∣ a∈A}={μ(η(a)) ∣ a∈A}, so that, by Lemma 3.1 (3-4),
and since ∪a∈Aμ(η(a))=A it turns out that
{μ(η(a)) ∣ a∈A} is a partition of A.
(2) First, notice that a′∈γ(α(∅))⇔α({a′})=α(∅) holds.
Then,
it is enough to check that a′∈γ(α({a})⇔α({a′})=α({a}), for any a,a′∈A.
On the one hand, if a′∈γ(α({a})) then, by PCG, γ(α({a′}))=γ(α({a})),
so that α({a′})=α(γ(α({a′})))=α(γ(α({a})))=α({a}).
On the other hand, if α({a′})=α({a}) then, by CG,
a′∈γ(α({a′}))=γ(α({a})).
(3) If C=⟨η,A,B,μ⟩ is a CGC then we have that C≅∅TCGC(TPGC(C))
because μ∗({η⋄({a}) ∣ a∈A})={μ∗({η(a)}) ∣ a∈A}={μ(η(a)) ∣ a∈A},
so that, by Lemma 3.1 (2),
μ∗({η⋄({a}) ∣ a∈A})∪{∅}=μ(B)∪{∅}.
On the other hand,
if C=⟨α,℘(A)⊆,D≤,γ⟩ is a PGC then C≅TPGC(TCGC(C)) because
[TABLE]
∎
See 4.3
Proof.
By definition, we have that C1⊑C2 iff μ2(B2)⊆μ1(B1),
while TPGC(C1)⊑TPGC(C2) iff μ2∗(η2⋄(℘(A)))⊆μ1∗(η1⋄(℘(A))).
As in the proof of Theorem 4.1 (3), we have that μi∗(ηi⋄(℘(A)))=μi(ηi(A)).
By Lemma 3.1 (2), we have that μi(Bi)=μi(ηi(A))∪{∅}.
Thus, μ2(B2)⊆μ1(B1) iff
μ2(η2(A))∪{∅}⊆μ1(η1(A))∪{∅} iff
μ2(η2(A))⊆μ1(η1(A)).
∎
See 4.5
Proof.
(1) This is Lemma 3.2 (3).
(2) It turns out that TCGP(G) is a CGP: (a) λa.α(↓{a}):A→D
is monotone: clear,
because a≤a′ implies ↓{a}⊆↓{a′}, so that, by monotonicity of α,
α(↓{a})≤Dα(↓{a′}); (b) γ:D→℘↓(A) is monotone because G is a GC; (c) a∈γ(d)⇔α(↓{a})≤Dd: in fact, a∈γ(d)⇔↓a⊆γ(d)⇔α(↓{a})≤Dd.
(3) On the one hand,
if C=⟨η,A,B,μ⟩ is a CGP then we have that C=TCGP(TGC(C))
because TCGP(TGC(C))=⟨λa.η∨(↓a),A,B,μ⟩ and
for any a∈A, η∨(↓a)=∨x≤aη(x)=η(a), because η is monotonic.
On the other hand,
if G=⟨α,℘↓(A)⊆,D≤,γ⟩ is a GC then
[TABLE]
so that G≅TGC(TCGP(G)) holds.
∎
See 4.4
Proof.
(1) By (CGC-Corr), x∈μ(η(y)) iff η(x)=η(y) iff, by Lemma 3.1 (1), μ(η(x))=μ(η(y)).
(2) By definition, x∈φ(a) iff φ(x)=φ(a), and this precisely
means that TCGC(φ) is a CGC.
(3) If φ:A→℘(A) is a CCO then TCCO(TCGC(φ))=φ. If C=⟨η,A,B,μ⟩ is a CGC then
C≅∅⟨μ∘η,A,{μ(η(a)) ∣ a∈A},id⟩=TCGC(TCCO(C)) clearly holds, by Lemma 3.1 (2).
∎
See 5.1
Proof.
By soundness in GCs, g⋄(γ(α({a})))⊆γ(g♯(α(γ(α({a}))))) =γ(g♯(α({a}))).
Also, since a∈γ(α({a})), we have that g(a)∈g⋄(γ(α({a}))).
Since g♯ is block preserving,
g(a)∈g⋄(γ(α({a})))⊆γ(g♯(α({a})))=γ(α({a′})), for some
a′∈A. Hence, since g(a)∈γ(α({a′})) and γ(α({a′})) is a block, we have that
γ(α({g(a)}))=γ(α({a′})), and, in turn, γ(α({g(a)}))=γ(g♯(α({a}))),
so that α(γ(α({g(a)})))=α(γ(g♯(α({a})))).
By GI, α∘γ=id, consequently g♯(α({a}))=α({g(a)}). Also,
g⋄(γ(α({a})))⊆γ(g♯(α({a})))=γ(α({g(a)})).
∎
See 5.2
Proof.
(1) We have that
⟨f,f♯⟩ is sound iff ∀a∈A.f(a)∈μ(f♯(η(a))).
Also, we have that TPGC(⟨f,f♯⟩) is sound w.r.t. TPGC(C) iff
∀X∈℘(A).f⋄(X)⊆μ∗(f♯⋄(η⋄(X)))
iff {f(x) ∣ x∈X}⊆∪y∈Xμ(f♯(η(y))) iff
∀X∈℘(A).∀x∈X.∃y∈X.f(x)∈μ(f♯(η(y))).
Then, ∀a∈A.f(a)∈μ(f♯(η(a))) iff
∀X∈℘(A).∀x∈X.∃y∈X.f(x)∈μ(f♯(η(y))) clearly holds.
(2) ⟨g⋄,g♯⟩ is sound iff ∀X∈℘(A).g⋄(X)⊆γ(g♯(α(X)))
iff ∀X∈℘(A).{g(x) ∣ x∈X}⊆γ(g♯(α(X))).
Moreover, TCGC(⟨g⋄,g♯⟩)=⟨g,g♯r⟩ is sound
for ⟨α{⋅},A,{α({a}) ∣ a∈A},γ⟩
iff
∀a∈A.g(a)∈γ(g♯r(α{⋅}(a)))=γ(g♯r(α({a})))=γ(g♯(α({a}))), where the latter equality follows by Lemma 5.1.
Then, if ⟨g⋄,g♯⟩D is sound then
TCGC(⟨g⋄,g♯⟩) is clearly sound. On the other hand, if TCGC(⟨g⋄,g♯⟩)
is sound and X∈℘(A) then {g(x) ∣ x∈X}⊆∪x∈Xγ(g♯(α({x})))⊆γ(g♯(α(X))), where the latter containment follows
by monotonicity of γ, g♯ and α.
(3) Let ⟨f,f♯⟩ be a sound pair for a CGC C=⟨η,A,B,μ⟩. By (1) we know that
⟨f⋄,f♯⋄⟩=TPGC(⟨f,f♯⟩) is sound for
TPGC(C)=⟨η⋄,℘(A)⊆,℘(B)⊆,μ∗⟩.
Moreover, f♯⋄:℘(B)→℘(B) is monotone and block-preserving, meaning that
f♯⋄(η⋄({a}))=η⋄({a′}) for some a′∈A,
because, by soundness, f(a)∈μ(f♯(η(a))), so that η(f(a))=f♯(η(a)),
thus implying that f♯⋄(η⋄({a}))={f♯(η(a))}={η(f(a))}=η⋄({f(a)}).
Let us consider ⟨f,(f♯⋄)r⟩=TCGC(TPGC(⟨f,f♯⟩)),
where TCGC(TPGC(C))=⟨(η⋄){⋅},A,{η⋄({a}) ∣ a∈A},μ∗⟩.
We have that
(f♯⋄)r:{η⋄({a}) ∣ a∈A}→{η⋄({a}) ∣ a∈A} is such that
(f♯⋄)r(η⋄({a}))=η⋄(f(a))=f♯⋄(η⋄({a})), so we have that
μ∗((f♯⋄)r((η⋄){⋅}(a)))=μ∗((f♯⋄)r(η⋄({a})))=μ∗(f♯⋄(η⋄({a})))=μ(f♯(η(a))).
Hence, this shows that TCGC(TPGC(⟨f,f♯⟩))≅⟨f,f♯⟩.
On the other hand, let ⟨g⋄,g♯⟩ be a sound pair for a PGC D=⟨α,℘(A)⊆,D≤,γ⟩,
where g:A→A and g♯ is monotone and block-preserving.
By (2),
⟨g,g♯r⟩=TCGC(⟨g⋄,g♯⟩) is sound for the CGC
TCGC(D)=⟨α{⋅},A,{α({a}) ∣ a∈A},γ⟩.
We therefore consider ⟨g⋄,(g♯r)⋄⟩=TPGC(TCGC(⟨g,g♯⟩)) which,
by (1), is sound for TPGC(TCGC(D))=⟨(α{⋅})⋄,℘(A)⊆,℘({α({a}) ∣ a∈A}),γ∗⟩.
We have to check that γ∘g♯∘α=γ∗∘(g♯r)⋄∘(α{⋅})⋄. For any X∈℘(A), we have that
(g♯r)⋄((α{⋅})⋄(X))=(g♯r)⋄({α({a}) ∣ a∈X})={g♯(α({a})) ∣ a∈X}, so that
γ∗((g♯r)⋄((α{⋅})⋄(X)))=∪a∈Xγ(g♯(α({a}))).
Since g♯ and γ are additive, while α is always additive,
we have that ∪a∈Xγ(g♯(α({a})))=γ(g♯(α(X))).
∎
See 5.4
Proof.
Let us furst recall that TPGC(C)=⟨η⋄,℘(A)⊆,℘(B)⊆,μ∗⟩.
(1) ⟨f⋄,f♯⋄⟩ is BCA w.r.t. TPGC(C) iff f♯⋄=η⋄∘f⋄∘μ∗ iff ∀Y∈℘(B).{f♯(y) ∣ y∈Y}=η⋄(f⋄(∪y∈Yμ(y)))={η(f(x)) ∣ x∈μ(y),y∈Y} iff ⟨f,f♯⟩ satisfies (CGC-Cmp/ημ).
(2) ⟨f⋄,f♯⋄⟩ is forward complete w.r.t. TPGC(C)
iff f⋄∘μ∗=μ∗∘f♯⋄ iff ∀Y∈℘(B).{f(x) ∣ x∈μ(y),y∈Y}=∪{μ(f♯(y)) ∣ y∈Y} iff ⟨f,f♯⟩ satisfies (CGC-Cmp/μμ).
(3) ⟨f⋄,f♯⋄⟩ is backward complete w.r.t. TPGC(C)
iff η⋄∘f⋄=f♯⋄∘η⋄ iff ∀X∈℘(A).{η(f(x)) ∣ x∈X}={f♯(η(x)) ∣ x∈X} iff ⟨f,f♯⟩ satisfies (CGC-Cmp/ηη).
(4) ⟨f⋄,f♯⋄⟩ is precise w.r.t. TPGC(C)
iff f⋄=μ∗∘f♯⋄∘η⋄ iff ∀X∈℘(A).{f(x) ∣ x∈X}=∪{μ(f♯(η(x))) ∣ x∈X} iff ⟨f,f♯⟩ satisfies (CGC-Cmp/μη).
∎
See 6.1
Proof.
(1) a∈μ(∧ibi) iff, by PCGC (2), η(a)≤∧ibi iff
∀i.η(a)≤bi iff, by PCGC (2), ∀i.a∈μ(bi) iff a∈∩iμ(bi).
(2) The proof of η(a1)=η(a2)⇔μ(η(a1))=μ(η(a2)), by PCGC (1), is the same of Lemma 3.2 (1).
Also, μ(η(a1))=μ(η(a2))⇒a1,a2∈μ(η(a1))∩μ(η(a2)). Conversely,
if a∈μ(η(a1))∩μ(η(a2)) then, by PCGC (1), η(a1)=η(a)=η(a2).
(3) If b∈η(A) then b=η(a), for some a, so that a∈μ(η(a)). A counterexample to the vice versa
is in Example 6.2.
(4) ∨a∈Xη(a)≤b⇔∀a∈X.η(a)≤b⇔∀a∈X.a∈μ(b)⇔X⊆μ(b).
∎
See 6.3
Proof.
(1) By Lemma 6.1 (3), TPPGC(C)=⟨η∨,℘(A)⊆,B≤,μ⟩ is a GC. If
a∈μ(η∨({a1})∩μ(η∨({a2})) then, by PCGC (1), η(a1)=η(a)=η(a2),
so that μ(η∨({a1}))=μ(η∨({a2})), implying that TPPGC(C) is indeed a PPGC.
(2) Let us show PCGC (1):
[TABLE]
On the other hand, α{⋅}(a)=α{⋅}(a′) means α({a})=α({a′}), so that, by GC,
a∈γ(α({a}))=γ(α({a′}))=γ(α{⋅}(a′)).
PCGC (2) also follows because a∈γ(d) iff {a}⊆γ(d) iff, by GC,
α({a})≤d iff α{⋅}(a)≤d.
(3) Let C=⟨η,A,B≤,μ⟩ be a PCGC. We have that
TPCGC(TPPGC(C))=⟨(η∨){⋅},A,B≤,μ⟩, so that
TPCGC(TPPGC(C))=C holds because (η∨){⋅}=η.
On the other hand, let D=⟨α,℘(A)⊆,D≤,γ⟩ be a PPGC. Here,
TPPGC(TPCGC(D))=⟨(α{⋅})∨,℘(A)⊆,D≤,γ⟩.
We have that
[TABLE]
so that TPPGC(TPCGC(D))≅D.
∎
See 6.5
Proof.
(1) We have that ⟨f,f♯⟩ is sound w.r.t. C iff η∨∘f⋄∘μ⊑f♯ iff ⟨f⋄,f♯⟩ is sound w.r.t. TPPGC(C)=⟨η∨,℘(A)⊆,B≤,μ⟩.
(2) ⟨g⋄,g♯⟩ is sound w.r.t. D iff α∘g⋄∘γ⊑g♯,
while
⟨g,g♯⟩=TPCGC(⟨g⋄,g♯⟩) is sound
w.r.t. TPCGC(D)=⟨α{⋅},A,D≤,γ⟩ iff
gTPCGC(D)⋄⊑g♯ iff
(α{⋅})∨∘g⋄∘γ⊑g♯.
Then, it is enough to observe that (α{⋅})∨=α: in fact,
for any X∈℘(A),
(α{⋅})∨(X)=∨x∈Xα{⋅}(x)=∨x∈Xα({x})=α(∪x∈X{x})=α(X).
(3) Clear.
∎