A minimalistic look at widening operators

We consider the problem of formalizing in higher-order logic the familiar notion of widening from abstract interpretation. It turns out that many axioms of widening (e.g. widening sequences are ascending) are not useful for proving correctness. After keeping only useful axioms, we give an equivalent characterization of widening as a lazily constructed wellfounded tree. In type systems supporting dependent products and sums, this tree can be made to reflect the condition of correct termination of the widening sequence. 1 The usual framework We shall first recall the usual definitions of abstract interpretation and widening operators. 1.1 Abstraction and concretization maps Abstract interpretation is a framework for formalizing approximation relationships arising in program semantics and static analysis [8, 9]. Soundness of the abstraction is expressed by the fact that the approximation takes place in a controlled direction. In order to prove that a given set of undesirable states is unreachable, we can compute a superset of the set of reachable states (an over-approximation thereof), in the hope that this set does not intersect the set of undesirable states. If order to prove that we eventually reach a given set of states, we can compute a subset of the set of states that eventually reach them (an under-approximation thereof), in the hope that this set includes the initial states. Most introductory materials on abstract interpretation describe abstraction as a Galois connection between a concrete space S (typically, the powerset P(Σ) of the set of states Σ of the program, or the powerset of the set of finite execution traces Σ of the program) and an abstract space S. For instance, if the program state consists in a program counter location, taken within a finite set P of program locations, and three integer variables, Σ = P ×Z, S = P(P ×Z), the abstract state can be, for instance, a member of S = P → ({⊥} ∪ I), where P is the set of program locations, a → b denotes the set of functions from ainterpretation is a framework for formalizing approximation relationships arising in program semantics and static analysis [8, 9]. Soundness of the abstraction is expressed by the fact that the approximation takes place in a controlled direction. In order to prove that a given set of undesirable states is unreachable, we can compute a superset of the set of reachable states (an over-approximation thereof), in the hope that this set does not intersect the set of undesirable states. If order to prove that we eventually reach a given set of states, we can compute a subset of the set of states that eventually reach them (an under-approximation thereof), in the hope that this set includes the initial states. Most introductory materials on abstract interpretation describe abstraction as a Galois connection between a concrete space S (typically, the powerset P(Σ) of the set of states Σ of the program, or the powerset of the set of finite execution traces Σ of the program) and an abstract space S. For instance, if the program state consists in a program counter location, taken within a finite set P of program locations, and three integer variables, Σ = P ×Z, S = P(P ×Z), the abstract state can be, for instance, a member of S = P → ({⊥} ∪ I), where P is the set of program locations, a → b denotes the set of functions from a VERIMAG is a joint laboratory of CNRS, Université Joseph Fourier and Grenoble-INP.