Hostname: page-component-78c5997874-94fs2 Total loading time: 0 Render date: 2024-11-10T11:00:06.325Z Has data issue: false hasContentIssue false

The role of linearity in sharing analysis

Published online by Cambridge University Press:  14 June 2022

Gianluca Amato
Affiliation:
University of Chieti–Pescara, Pescara, Italy
Maria Chiara Meo
Affiliation:
University of Chieti–Pescara, Pescara, Italy
Francesca Scozzari*
Affiliation:
University of Chieti–Pescara, Pescara, Italy
*
*Corresponding author. Email: francesca.scozzari@unich.it
Rights & Permissions [Opens in a new window]

Abstract

Sharing analysis is used to statically discover data structures which may overlap in object-oriented programs. Using the abstract interpretation framework, we show that sharing analysis greatly benefits from linearity information. A variable is linear in a program state when different field paths starting from it always reach different objects. We propose a graph-based abstract domain which can represent aliasing, linearity, and sharing information and define all the necessary abstract operators for the analysis of a Java-like language.

Type
Paper
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2022. Published by Cambridge University Press

1. Introduction

In the context of static analysis of object-oriented programs, the aim of sharing analysis is to discover when two data structures may overlap. For instance, this may happen in Java programs, whose objects are stored in a shared memory called heap. Sharing information can be exploited in program parallelization and distribution, since methods working on data structures that do not overlap can be executed on different processors, using disjoint memory. Moreover, knowing sharing information is very useful for improving other kinds of analyses like shape, pointer, class, and cyclicity analysis.

Consider a class $\mathtt{Tree}$ with two fields ${\mathord{\mathtt{l}}}$ and ${\mathord{\mathtt{r}}}$ defined as follows:

class Tree { Tree l; Tree r; }

A concrete state in an object-oriented program is usually described by a frame, which is a map from program variables to memory locations (or ${\mathord{\mathtt{null}}}$ ), and a memory, which is a map from locations to objects. Figure 1 shows two states with two variables x and y referring to two different objects of class $\mathtt{Tree}$ . In the state of Figure 1A, the variables x and y share, since $x.{\mathord{\mathtt{r}}}.{\mathord{\mathtt{r}}}.{\mathord{\mathtt{r}}}$ and $y.{\mathord{\mathtt{l}}}.{\mathord{\mathtt{l}}}$ point to the same object.

Figure 1. Two concrete states illustrating pair sharing.

Traditionally, sharing analysis has been designed in two different ways: set-sharing analysis and pair-sharing analysis. In set-sharing analysis, we look for sets of variables which share a common object, while in pair-sharing analysis we are only interested in discovering pairs of variables which share. In this paper, we deal with field-sensitive pair-sharing properties.

We abstract concrete states into a new kind of graph we call Aliasing Linearity Pair Sharing ( $\mathsf{ALPS}$ ) graph. For instance, the state in Figure 1A is abstracted into the $\mathsf{ALPS}$ graph in Figure 1A where the dotted edges between two nodes encode the information that they share. All $\mathsf{ALPS}$ graphs have at most two levels. The first level consists of nodes which are labeled with program variables and may have both incoming and outgoing edges. Second level nodes are unlabeled, are connected by at least an incoming edge with first level nodes, and cannot have outgoing edges. Edges are labeled with field names. Dotted edges encode sharing information and can connect two nodes at any level.

As it is customary in the abstract interpretation theory (Cousot and Cousot Reference Cousot and Cousot1977, Reference Cousot and Cousot1992), the correspondence between $\mathsf{ALPS}$ graphs and concrete states is given by a concretization function that maps each graph to the set of all concrete states it abstracts. In this section, we try to describe the main feature of $\mathsf{ALPS}$ graphs while remaining at an informal level. Precise definitions will be given in the next sections.

1.1 Field-sensitive pair-sharing information

Sharing properties for logic programs has been studied extensively. The large literature on this topic and the paper by Secci and Spoto (Reference Secci and Spoto2005a) on object-oriented programs have been the starting point for designing our abstract domain for sharing analysis.

We say that two locations share when it is possible to reach from them a common location. Consider the concrete state depicted in Figure 1A. Here x and y are bound to two different data structures which overlap, since $x.{\mathord{\mathtt{r}}}.{\mathord{\mathtt{r}}}.{\mathord{\mathtt{r}}}$ and $y.{\mathord{\mathtt{l}}}.{\mathord{\mathtt{l}}}$ are bound to the same object: we say that x and y share. In the abstract graph, we represent this information with an (undirected) dotted edge between the two nodes. For instance, the sharing information in Figure 1A is captured by the four dotted edges in Figure 2A. In the following, in order to keep the graphs as simple as possible, we omit those dotted edges which can be inferred by other features of the graph. In this case, the only nonredundant edge is the one between $x.{\mathord{\mathtt{r}}}$ and $y.{\mathord{\mathtt{l}}}$ , as shown in Figure 2B.

Figure 2. Abstractions of the concrete states in Figure 1.

Note that our graphs encode possible pair-sharing information: the presence of a dotted edge means that the corresponding locations might share, while the absence of the dotted edge means that the corresponding locations do not share for sure. Therefore, the graphs in Figure 2 are correct abstractions also for the concrete state in Figure 1B, although $x.{\mathord{\mathtt{r}}}$ and $y.{\mathord{\mathtt{l}}}$ do not share in the latter.

1.2 Aliasing and nullness

$\mathsf{ALPS}$ graphs may encode definite nullness of variables and fields: a variable is null when it does not appear as a label, while a field $v.{\mathord{\mathtt{f}}}$ is null when there is no edge labeled with ${\mathord{\mathtt{f}}}$ departing from the node v. For example, in Figure 4 the field $v_1.{\mathord{\mathtt{r}}}$ is null. Definite nullness means that when a node is null in the graph, then it has to be null in the corresponding concrete states, but the converse is not true. For example, all the graphs in Figure 3 are correctly abstracted by Figure 4, since in all of them $v_1.{\mathord{\mathtt{r}}}$ is null, although $v_2.{\mathord{\mathtt{r}}}$ is null in some states (Figure 3B and C) but not in others (Figure 3A).

Figure 3. Three concrete states illustrating nullness and aliasing.

Figure 4. Abstraction of the concrete states in Figure 3. Both $v_1$ and $v_2$ are first level nodes, even if there is an edge pointing to $v_1$ .

Figure 5. Concrete and abstract states illustrating aliasing.

The graph also encodes definite weak aliasing: two variables or fields are weakly aliased when they point to the same location or they point both to ${\mathord{\mathtt{null}}}$ . For instance, the variable $v_1$ and the field $v_2.{\mathord{\mathtt{l}}}$ in the concrete state of Figure 3A are aliased, since they are bound to the same object. $\mathsf{ALPS}$ graphs encode aliasing information by using a single node for abstracting both variables/fields. For example, in Figure 4, the same node is labeled by both $v_1$ and the $v_2.{\mathord{\mathtt{l}}}$ (more precisely, the node $v_1$ is reached by the edge labeled ${\mathord{\mathtt{l}}}$ departing from the node $v_2$ ). Note that, due to the definition of weak aliasing, $v_1$ and $v_2.{\mathord{\mathtt{l}}}$ are considered to be aliased even in the concrete state of Figure 3C, hence Figure 3C is still correctly abstracted by Figure 4. Another example is in Figure 5.

We use the adjective weak to distinguish our treatment of aliasing by other proposals which consider two identifiers to be aliased only if they point to the same non-null location (see, e.g., Pollet et al. Reference Pollet, Le Charlier and Cortesi2001).

1.3 Linearity information

In the field of logic programming, the use of a linearity property has proved to be very useful when dealing with sharing information (see Bagnara et al. Reference Bagnara, Zaffanella and Hill2005 for a comprehensive evaluation). We show how the same idea can be reused to enhance sharing analysis of object-oriented programs. We propose a new combined analysis of sharing, aliasing, and linearity properties for Java-like programs based on abstract interpretation, inspired by the corresponding domains on logic programs.

We say that a location is nonlinear when there are two different paths starting from it and reaching a common location. Consider for instance Figure 6. Starting from $v_5.{\mathord{\mathtt{r}}}$ , we reach the same object by either $v_5.{\mathord{\mathtt{r}}}.{\mathord{\mathtt{r}}}.{\mathord{\mathtt{l}}}.{\mathord{\mathtt{r}}}$ or $v_5.{\mathord{\mathtt{r}}}.{\mathord{\mathtt{r}}}.{\mathord{\mathtt{r}}}.{\mathord{\mathtt{l}}}$ . Therefore, we say that $v_5.{\mathord{\mathtt{r}}}$ is nonlinear. It is easy to note that also $v_5$ is nonlinear. In general, whenever a field $v.{\mathord{\mathtt{f}}}$ is nonlinear, the variable v is nonlinear too. We represent possible nonlinearity information by means of a double circle. For instance, the concrete state for variables $v_5$ and $v_6$ in Figure 6 is abstracted as in Figure 7.

Figure 6. A concrete state illustrating nonlinearity.

Figure 7. Abstraction of the concrete state in Figure 6.

1.4 An example program

Linearity plays a key role in sharing analysis, since it allows us to propagate precise sharing information when dealing with method calls. We show how the analysis works and the relevance of linearity information with the help of the example program in Figure 8.

Figure 8. The example program.

We consider again the class $\mathtt{Tree}$ previously defined. The method makeTree defined in Figure 8 (left) builds a complete tree of depth n, whose nodes are all distinct. Actually, with a bottom-up static analysis using $\mathsf{ALPS}$ graphs, we can easily infer that, for any input $n\geq 2$ , makeTree returns a data structure which may be described by the graph in Figure 9A, where the label ${\mathord{\mathtt{out}}}$ denotes the return value of the method. Since there are no undirected dotted edges between ${\mathord{\mathtt{out}}}.{\mathord{\mathtt{l}}}$ and ${\mathord{\mathtt{out}}}.{\mathord{\mathtt{r}}}$ , it means that ${\mathord{\mathtt{out}}}.{\mathord{\mathtt{l}}}$ and ${\mathord{\mathtt{out}}}.{\mathord{\mathtt{r}}}$ do not share. Moreover, since there are no double circles, everything is guaranteed to be linear. The latter property implies that, in any concrete state approximated by the $\mathsf{ALPS}$ graph in Figure 9A, two different fields of the same object can never share. In particular, we know that ${\mathord{\mathtt{out}}}.{\mathord{\mathtt{l}}}.{\mathord{\mathtt{l}}}$ and ${\mathord{\mathtt{out}}}.{\mathord{\mathtt{l}}}.{\mathord{\mathtt{r}}}$ do not share.

Figure 9. Two $\mathsf{ALPS}$ graphs for the example program.

The useTree method in Figure 8 (right) calls makeTree and extracts two subtrees which do not share. In detail, in the useTree method, since we know that ${\mathord{\mathtt{t}}}$ is linear, we can infer that ${\mathord{\mathtt{tl}}}$ is linear too. Since ${\mathord{\mathtt{tl}}}$ is linear, its fields ${\mathord{\mathtt{tl}}}.{\mathord{\mathtt{r}}}$ and ${\mathord{\mathtt{tl}}}.{\mathord{\mathtt{l}}}$ do not share, and therefore ${\mathord{\mathtt{right}}}$ and ${\mathord{\mathtt{left}}}$ do not share. Note that linearity of ${\mathord{\mathtt{t}}}$ is not needed to prove that ${\mathord{\mathtt{t}}}.{\mathord{\mathtt{l}}}$ and ${\mathord{\mathtt{t}}}.{\mathord{\mathtt{r}}}$ do not share (sharing is enough for this). We need linearity when we want to go deeper and prove that ${\mathord{\mathtt{t}}}.{\mathord{\mathtt{l}}}.{\mathord{\mathtt{l}}}$ and ${\mathord{\mathtt{t}}}.{\mathord{\mathtt{l}}}.{\mathord{\mathtt{r}}}$ do not share. Linearity of ${\mathord{\mathtt{t}}}$ is essential here in proving that ${\mathord{\mathtt{left}}}$ and ${\mathord{\mathtt{right}}}$ do not share. The heap at the end of the useTree method may be described by the graph in Figure 9B.

Due to the interaction between sharing and linearity, different $\mathsf{ALPS}$ graphs may represent the same set of concrete states. For example, adding a dotted edge between ${\mathord{\mathtt{out}}}.{\mathord{\mathtt{l}}}$ and ${\mathord{\mathtt{out}}}.{\mathord{\mathtt{r}}}$ in Figure 9A does not allow them to share, since that would violate the linearity of ${\mathord{\mathtt{out}}}$ . In sec:alps, we will introduce a closure operator on graphs to deal with these interactions.

1.5 Plan of the paper

The rest of the paper is organized as follows. Section 2 summarizes the notations used through the paper and describes our simple Java-like language. Section 3 defines the basic notions of reachability, sharing, linearity, and aliasing. In Section 4, we introduce the domain of aliasing graphs, which encodes weak aliasing for variables and fields. Then, in Section 5 we enrich aliasing graphs with information regarding sharing and linearity, obtaining what we call $\mathsf{ALPS}$ graphs. Section 6 defines an abstract semantics (analysis) over $\mathsf{ALPS}$ graphs and states its correctness. Section 7 contains a discussion about related work and Section 8 concludes. Appendix A contains all the proofs of the properties and theorems in the paper.

This paper is an extended and revised version of Amato et al. (Reference Amato, Meo and Scozzari2015). With respect to the conference version, this paper includes: (1) definitions for all the operators used in the abstract and concrete semantics; (2) the notion of graph morphism and closure; (3) all the proofs; and (4) many new examples.

2. Preliminaries

2.1 Notations

We use a special notation for ordered pairs. The two components of an ordered pair are separated by $\mathbin{\star}$ . A definition of a pair $s=a\mathbin{\star} b$ silently defines the pair of selectors $s.a$ and $s.b$ .

A total (partial) function f from A to B is denoted by $A \to B$ ( $A \nrightarrow B$ , respectively). Given $f: A \nrightarrow B$ and $x \in A$ , we write $f(x)=\bot$ when f is undefined on x. The composition of functions f and g is denoted by $f \circ g$ . The domain and range of f are, respectively, dom(f) and rng(f). We denote by $[v_1 \mapsto t_1,\ldots,v_n \mapsto t_n]$ the function f such that $dom(f) = \{v_1,\ldots,v_n\}$ and $f(v_i)=t_i$ for $i=1,\ldots,n$ . We denote by $f[w_1\mapsto d_1,\ldots,w_m\mapsto d_m]$ an update of f, with a possibly enlarged domain. By $f|_s$ ( $f|_{-s}$ ), we denote the restriction of f to $s\subseteq dom(f)$ (to $dom(f)\setminus s$ , respectively).

Given a set X, we denote by $\mathcal{P}(X)$ the powerset of X and with $\mathcal{P}_2(X)$ those subsets of X of cardinality 1 or 2. Given $f: A \nrightarrow B$ , $Y \in \mathcal{P}(B)$ and $Z \subseteq \mathcal{P}_2(B)$ , we denote by $f^{-1}(Y)=\{a \in A \mid f(a) \in Y\}$ and $f^{-1}(Z)=\{\{a,a'\} \in \mathcal{P}_2(A) \mid \{f(a),f(a')\} \in Z\}$ .

For an ordered set $\mathit{S}\mathbin{\star}\mathord\le$ , if $s\in S$ , then $\downarrow s=\{s'\in S\mid s'\le s\}$ is the downward closure of S. For a preordered set $\mathit{S}\mathbin{\star}\mathord\le$ , we say that $s_1, s_2 \in S$ are equivalent, and we write $s_1 \sim s_2$ , when $s_1 \leq s_2$ and $s_2 \leq s_1$ . The set $\mathit{S}/{\sim}$ of equivalence classes modulo $\sim$ is ordered by $[s_1] \le [s_2]$ iff $s_1 \le s_2$ . We will freely use preordered sets in the place where ordered sets are expected, implicitly referring to the induced ordered set.

We recall now the basics of abstract interpretation from Cousot and Cousot (Reference Cousot and Cousot1977, Reference Cousot and Cousot1992). Given two posets $\mathit{C}\mathbin{\star}\mathord\le$ and $\mathit{A}\mathbin{\star}\mathord\preceq$ (the concrete and the abstract domain), a Galois connection is a pair of monotonic maps $\alpha:\mathit{C}\mapsto\mathit{A}$ and $\gamma:\mathit{A}\mapsto\mathit{C}$ such that $\gamma \circ \alpha$ is extensive and $\alpha \circ \gamma$ is reductive. It is a Galois insertion when $\alpha \circ \gamma$ is the identity map, that is, when the abstract domain does not contain useless elements. This is equivalent to $\alpha$ being onto, or $\gamma$ one-to-one.

We say that $a \in A$ is a correct approximation of $c \in C$ when $\alpha(c) \preceq a$ or, equivalently, $c \leq \gamma(a)$ . An abstract operator $f^A:\mathit{A}^n\mapsto\mathit{A}$ is correct w.r.t. $f:\mathit{C}^n\rightarrow\mathit{C}$ if, given $a_1, \ldots, a_n$ correct abstractions of $c_1, \ldots, c_n$ , we have that $f^A(a_1, \ldots, a_n)$ is a correct abstraction of $f(c_1, \ldots, c_n)$ . This is equivalent to $f(\gamma(a_1), \ldots, \gamma(a_n)) \leq \gamma(f^A(a_1, \ldots, a_n))$ for every tuple $a_1,\ldots, a_n$ of abstract objects.

2.2 The language

We use the Java-like object-oriented language defined by Secci and Spoto (Reference Secci and Spoto2005a), which is a normalized version of Java with downward casts, and which we extend with upper casts. The details of the concrete semantics first appeared in a long version of the above paper (Secci and Spoto Reference Secci and Spoto2005b) which is unpublished. Here we present the semantics for the sake of completeness.

2.2.1 Syntax

Each program has a set of identifiers $\mathord{\mathit{Ide}}$ and a finite set of classes (or types) $\mathcal{K}$ ordered by a subclass relation $\le$ such that $\mathcal{K}\mathbin{\star}\mathord\le$ is a poset. The set $\mathord{\mathit{Ide}}$ includes the special identifiers ${\mathord{\mathtt{this}}}$ , ${\mathord{\mathtt{res}}}$ , ${\mathord{\mathtt{out}}}$ . Since we do not allow multiple inheritance, for any class $\kappa\in \mathcal{K}$ , the set $\{\kappa'\mid \kappa' \geq\kappa\}$ is a chain. In the following, we assume that $\mathord{\mathit{Ide}}$ and $\mathcal{K}$ have been fixed beforehand.

We use type environments to describe the identifiers in scope in a given program point. A type environment is a map from a finite set of identifiers to the associated class. The set of type environments is

\begin{equation*} \mathord{\mathit{TypEnv}}=\{\tau: \mathord{\mathit{Ide}}\nrightarrow\mathcal{K}\mid dom(\tau)\text{ is finite}\} .\end{equation*}

We call variables the identifiers in $dom(\tau)$ . Any class $\kappa\in\mathcal{K}$ defines a type environment, also denoted by $\kappa$ , which maps the fields of $\kappa$ (including both the fields defined in $\kappa$ and those inherited by the superclasses) to their types.

We require that fields cannot be redefined in subclasses. It means that if ${\mathord{\mathtt{f}}} \in dom (\kappa)$ and $\kappa' \leq \kappa$ , then ${\mathord{\mathtt{f}}} \in dom (\kappa')$ and $\kappa'({\mathord{\mathtt{f}}})=\kappa({\mathord{\mathtt{f}}})$ . For consistency of notation, we write $\kappa.{\mathord{\mathtt{f}}}$ in place of $\kappa({\mathord{\mathtt{f}}})$ for the type of the field ${\mathord{\mathtt{f}}}$ in the class $\kappa$ .

Finally, we require the existence of a class $\top$ with no fields which is the common ancestor of all other classes.

In the examples, we will describe the set of classes and the corresponding type environment using a notation inspired by class definitions in Java.

Example 1. Classes in the example program in Section 1.4 may be described by the following Java-like syntax:

class Tree { Tree l; Tree r; }class Integer { }

Formally, we have $\mathcal{K}=\{\top,\mathtt{Tree},\mathtt{Integer}\}$ with a flat ordering. Moreover, $\mathtt{Tree}=[{\mathord{\mathtt{l}}}\mapsto\mathtt{Tree}, {\mathord{\mathtt{r}}}\mapsto\mathtt{Tree}]$ and $\mathtt{Integer}=[]$ .

Expressions and commands are normalized versions of those in Java. Their syntax is the following:

\begin{align*}\mathit{exp} ::= &\ {\mathord{\mathtt{null}}}\ \kappa\mid\mathtt{new}\ \kappa\mid v\mid\mathit{v}.{\mathord{\mathtt{f}}}\mid\mathtt{(}\kappa\mathtt{)}v\mid\mathit{v}\mathtt{.m(}v_1,\ldots,v_n\mathtt{)}\\\mathit{com} ::= &\ v\mathbin{\mathtt{\unicode{x02254}}}\mathit{exp} \mid v.{\mathord{\mathtt{f}}}\mathbin{\mathtt{\unicode{x02254}}}\mathit{exp}\mid\mathtt{\{}\mathit{com}\mathtt{;}\cdots\mathtt{;}\mathit{com}\mathtt{\}}\\&\ \mid\mathtt{if\ }v\ \mathtt{=}\ w\mathtt{\ then\ }\mathit{com}\mathtt{\ else\ }\mathit{com}\mid\mathtt{if\ }v\ \mathtt{=null\ then\ }\mathit{com}\mathtt{\ else\ }\mathit{com}\end{align*}

where $\kappa\in\mathcal{K}$ , ${\mathord{\mathtt{f}}}\in\mathord{\mathit{Ide}}$ and $v,w,v_1,\ldots,v_n\in\mathord{\mathit{Ide}}\setminus\{{\mathord{\mathtt{res}}}\}$ are distinct when they appear in the same clause. Each method $\kappa.{\mathord{\mathtt{m}}}$ of a class $\kappa$ is defined with a statement like

\begin{equation*}\mathtt{\kappa_0\ m(}w_1\!:\!\kappa_1,\ldots,w_n\!:\!\kappa_n\mathtt{)}\mathtt{\ with\ }w_{n+1}\!:\!\kappa_{n+1},\ldots,w_{n+m}\!:\!\kappa_{n+m}\mathtt{\ is\ }\mathit{com}\end{equation*}

where $w_1,\ldots,w_n,w_{n+1},\ldots,w_{n+m}\in\mathord{\mathit{Ide}}$ are distinct and are not ${\mathord{\mathtt{res}}}$ nor ${\mathord{\mathtt{this}}}$ nor ${\mathord{\mathtt{out}}}$ . Their declared types are $\kappa_1,\ldots,\kappa_n,\kappa_{n+1},\ldots,\kappa_{n+m}\in\mathcal{K}$ , respectively. Variables $w_1,\ldots,w_n$ are the formal parameters of the method, and $w_{n+1},\ldots,w_{n+m}$ are its local variables. The method can also use a variable ${\mathord{\mathtt{out}}}$ of type $\kappa_0$ which holds its return value. We define $\mathit{body}(\kappa.{\mathord{\mathtt{m}}})=\mathit{com}$ and $\mathit{returnType}(\kappa.{\mathord{\mathtt{m}}})=\kappa_0$ . Overriding methods cannot change the formal parameters but may specialize the return type.

Given a type environment $\tau$ , with an abuse of notation we denote with $\tau(\mathit{exp})$ the static type of an expression $\mathit{exp}$ , defined as follows:

\begin{gather*} \tau(v.{\mathord{\mathtt{f}}})=\tau(v).{\mathord{\mathtt{f}}} \qquad \tau(\mathtt{new}\ \kappa) =\tau({\mathord{\mathtt{null}}}\ \kappa) =\tau(\mathtt{(}\kappa\mathtt{)}v)=\kappa\\ \tau(v.\mathtt{m(}v_1,\ldots,v_n\mathtt{)})= \mathit{returnType}(\tau(v).{\mathord{\mathtt{m}}}). \end{gather*}

Note that the static type of a field of class $\kappa$ is recovered from the definition of $\kappa$ , while the static type of the return value of a method call is the return type of the method.

We require expressions, commands, and methods to be well-typed, according to the standard definition in Java. We also require that all casts are explicit, so that in any assignment $v\mathbin{\mathtt{\unicode{x02254}}}\mathit{exp}$ (resp. $v.{\mathord{\mathtt{f}}}\mathbin{\mathtt{\unicode{x02254}}}\mathit{exp}$ ) the types of v (resp. $v.{\mathord{\mathtt{f}}}$ ) and $\mathit{exp}$ coincide. The same is required for formal and actual parameters. This is not a limitation since we allow upward and downward casts.

2.2.2 Semantics

The semantics of the language is defined by means of frames, objects, and memories defined as follows:

\begin{align*}\mathord{\mathit{Frame}}_\tau & =\{\phi\mid\phi\in dom(\tau)\to\mathord{\mathit{Loc}}\cup\{{\mathord{\mathtt{null}}}\}\}\\\mathord{\mathit{Obj}} & =\{\kappa\mathbin{\star}\phi\mid\kappa\in\mathcal{K}, \ \phi\in\mathord{\mathit{Frame}}_{\kappa}\}\\\mathord{\mathit{Memory}} & =\{\mu\in\mathord{\mathit{Loc}}\nrightarrow\mathord{\mathit{Obj}}\mid dom(\mu)\text{ is finite}\}\end{align*}

where $\mathord{\mathit{Loc}}$ is an infinite set of locations. A frame binds identifiers to locations or ${\mathord{\mathtt{null}}}$ . A memory binds such locations to objects, which contain a class tag and the frame for their fields. A new object of class $\kappa$ is $\mathtt{new}(\kappa)=\kappa\mathbin{\star}\phi$ , with $\phi(v)={\mathord{\mathtt{null}}}$ for each $v\in dom(\kappa)$ .

Example 2. Let $\tau=[v_7\mapsto \mathtt{Tree}, v_8\mapsto \mathtt{Tree}]$ and consider the state depicted in Figure 10, whose abstraction is in Figure 11. We have that $\phi = [ v_7\mapsto l_0, v_8\mapsto l_1]$ and

\begin{align*} \mu = [ & l_0 \mapsto \mathtt{Tree}\mathbin{\star}[{\mathord{\mathtt{l}}}\mapsto l_2, {\mathord{\mathtt{r}}}\mapsto l_3], l_1 \mapsto \mathtt{Tree}\mathbin{\star}[{\mathord{\mathtt{l}}}\mapsto l_4, {\mathord{\mathtt{r}}}\mapsto {\mathord{\mathtt{null}}}],\\ & l_2 \mapsto \mathtt{Tree}\mathbin{\star}[{\mathord{\mathtt{l}}}\mapsto {\mathord{\mathtt{null}}}, {\mathord{\mathtt{r}}}\mapsto {\mathord{\mathtt{null}}}], l_3 \mapsto \mathtt{Tree}\mathbin{\star}[{\mathord{\mathtt{l}}}\mapsto {\mathord{\mathtt{null}}}, {\mathord{\mathtt{r}}}\mapsto l_5],\\ & l_4 \mapsto \mathtt{Tree}\mathbin{\star}[{\mathord{\mathtt{l}}}\mapsto l_6, {\mathord{\mathtt{r}}}\mapsto {\mathord{\mathtt{null}}}], l_5 \mapsto \mathtt{Tree}\mathbin{\star}[{\mathord{\mathtt{l}}}\mapsto {\mathord{\mathtt{null}}}, {\mathord{\mathtt{r}}}\mapsto l_7], \\ & l_6 \mapsto \mathtt{Tree}\mathbin{\star}[{\mathord{\mathtt{l}}}\mapsto l_7, {\mathord{\mathtt{r}}}\mapsto {\mathord{\mathtt{null}}}], l_7 \mapsto \mathtt{Tree}\mathbin{\star}[{\mathord{\mathtt{l}}}\mapsto {\mathord{\mathtt{null}}}, {\mathord{\mathtt{r}}}\mapsto {\mathord{\mathtt{null}}}] ] \enspace .\end{align*}

Figure 10. A concrete state with variables $v_7,v_8$ .

Figure 11. Abstraction of the concrete state in Figure 10.

Our language is strongly typed, which means that the static type of an expression should be consistent with its runtime type. We formalize here the notion of type correctness for a frame and a memory.

Definition 3 (Types of locations) Let $\phi\in\mathord{\mathit{Frame}}_\tau$ , $\mu\in\mathord{\mathit{Memory}},$ and $l \in dom(\mu)$ , we write $\tau(l)=\mu(l).\kappa$ for the runtime type of location l.

If v is a variable, the object associated with v should be of a subtype of the static type of v. This leads to the definition of weak correctness:

Definition 4 (Weak $\tau$ -correctness) Let $\phi\in\mathord{\mathit{Frame}}_\tau$ and $\mu\in\mathord{\mathit{Memory}}$ . We say that $\phi \mathbin{\star} \mu$ is weakly $\tau$ -correct if for every $v\in dom(\phi)$ such that $\phi(v)\not={\mathord{\mathtt{null}}}$ we have $\phi(v)\in dom(\mu)$ and $\tau(\phi(v))\le\tau(v)$ .

We strengthen the correctness notion of Definition 4 by requiring that it also holds for the fields of the objects in memory.

Definition 5 ( $\tau$ -correctness) Let $\phi\in\mathord{\mathit{Frame}}_\tau$ and $\mu\in\mathord{\mathit{Memory}}$ . We say that $\phi \mathbin{\star} \mu$ is $\tau$ -correct and write $\phi\mathbin{\star}\mu:\tau$ , if

  1. (1). $\phi \mathbin{\star} \mu$ is weakly $\tau$ -correct and,

  2. (2). for every $o\in rng(\mu)$ , $o.\phi \mathbin{\star} \mu$ is weakly $o.\kappa$ -correct.

We call state a pair $\phi \mathbin{\star} \mu$ which is $\tau$ -correct for some type environment $\tau$ . The set of $\tau$ -correct states is

\begin{equation*} \Sigma_\tau=\{\phi\mathbin{\star}\mu\mid \phi\in\mathord{\mathit{Frame}}_\tau,\ \mu\in\mathord{\mathit{Memory}},\ \phi\mathbin{\star}\mu:\tau\} .\end{equation*}

Example 6 (Noncorrect state) Let $\tau \in \mathord{\mathit{TypEnv}}=[ u \mapsto \mathtt{Tree}, v \mapsto \mathtt{Tree}, w \mapsto \mathtt{Integer} ]$ , $\phi \in \mathord{\mathit{Frame}}_\tau = [ u \mapsto l_0, v \mapsto {\mathord{\mathtt{null}}}, w \mapsto l_1 ]$ and $\mu \in \mathord{\mathit{Memory}}$ such that $\mu(l_1)=\mathtt{Integer} \mathbin{\star} []$ and $\mu(l_0) = \mathtt{Tree} \mathbin{\star} [ {\mathord{\mathtt{l}}} \mapsto l_0, {\mathord{\mathtt{r}}} \mapsto l_1 ]$ . This may be depicted graphically as follows:

It turns out that $\phi \mathbin{\star} \mu$ is weakly $\tau$ -correct, but it is not $\tau$ -correct, since the right child of u points to an integer node instead of a tree node.

The semantics of an expression is a partial map $\mathcal{E}_{\tau}^{I}\unicode{x0301A}{\mathit{exp}}\unicode{x0301B}: \Sigma_\tau\nrightarrow\Sigma_{\tau+\mathit{exp}}$ from an initial to a final state, containing a distinguished variable ${\mathord{\mathtt{res}}}$ holding the value of the expression, where $\tau+\mathit{exp}=\tau[{\mathord{\mathtt{res}}}\mapsto \tau(\mathit{exp})]$ .

Definition 7 (Semantics of expressions) Let $\tau$ describe the variables in scope and I be an interpretation. The semantics for expressions $\mathcal{E}_{\tau}^{I}\unicode{x0301A}{\mathit{exp}}\unicode{x0301B}: \Sigma_\tau \nrightarrow\Sigma_{\tau+\mathit{exp}}$ is defined as

\begin{align*} \mathcal{E}_{\tau}^{I}\unicode{x0301A}{{\mathord{\mathtt{null}}}\ \kappa}\unicode{x0301B}(\phi\mathbin{\star}\mu) &=\phi[{\mathord{\mathtt{res}}}\mapsto{\mathord{\mathtt{null}}}]\mathbin{\star}\mu \\ \mathcal{E}_{\tau}^{I}\unicode{x0301A}{\mathtt{new}\ \kappa}\unicode{x0301B}(\phi\mathbin{\star}\mu) &=\phi[{\mathord{\mathtt{res}}}\mapsto l]\mathbin{\star}\mu[l\mapsto\mathtt{new}(\kappa)]\quad \text{with $l\in\mathord{\mathit{Loc}}\setminus dom(\mu)$} \\ \mathcal{E}_{\tau}^{I}\unicode{x0301A}{{v}}\unicode{x0301B}(\phi\mathbin{\star}\mu)&=\phi[{\mathord{\mathtt{res}}}\mapsto\phi(v)]\mathbin{\star}\mu \\ \mathcal{E}_{{\tau}}^{I}\unicode{x0301A}{v.{\mathord{\mathtt{f}}}}\unicode{x0301B}(\phi\mathbin{\star}\mu)&=\begin{cases} \phi[{\mathord{\mathtt{res}}}\mapsto \phi(v).{\mathord{\mathtt{f}}}]\mathbin{\star}\mu & \text{if $\phi(v)\not={\mathord{\mathtt{null}}}$} \\ \bot & \text{otherwise} \end{cases}\\ \mathcal{E}_{\tau}^{I}\unicode{x0301A}{\mathtt{(}\kappa\mathtt{)}v}\unicode{x0301B}(\phi\mathbin{\star}\mu)&= \begin{cases} \phi[{\mathord{\mathtt{res}}}\mapsto \phi(v)]\mathbin{\star}\mu & \text{if $\phi(v)={\mathord{\mathtt{null}}}$ or}\\ & \text{$\phi(v)\not={\mathord{\mathtt{null}}}$ and $\{\tau(\phi(v)),\kappa\}$ is a chain}\\ \bot & \text{otherwise} \end{cases} \\ \mathcal{E}_{\tau}^{{I}}\unicode{x0301A}{v.\mathtt{m(}v_1,\ldots,v_n\mathtt{)}}\unicode{x0301B}(\phi\mathbin{\star}\mu) &=\begin{cases} \phi[{\mathord{\mathtt{res}}}\mapsto\phi'({\mathord{\mathtt{out}}})]\mathbin{\star}\mu' & \text{if $\phi(v)\not={\mathord{\mathtt{null}}}$} \\ \bot & \text{otherwise} \end{cases} \end{align*}

with $\phi'\mathbin{\star}\mu'=I(\tau(v).{\mathord{\mathtt{m}}})(\sigma^\unicode{x2020})$ and $\sigma^\unicode{x2020}= [{\mathord{\mathtt{this}}}\mapsto\phi(v),w_1\mapsto\phi(v_1),\ldots, w_n\mapsto\phi(v_n)]\mathbin{\star}\mu$ .

The semantics of a command is a partial map from an initial to a final state: $\mathcal{C}_{{\tau}}^{{I}}\unicode{x0301A}{{\mathit{com}}}\unicode{x0301B}:\Sigma_\tau\nrightarrow\Sigma_\tau$ . We assume that $\tau$ in both $\mathcal{E}_{\tau}^{I}\unicode{x0301A}{\_}\unicode{x0301B}$ and $\mathcal{C}_{{\tau}}^{{I}}\unicode{x0301A}{{\_}}\unicode{x0301B}$ does not contain the variable ${\mathord{\mathtt{res}}}$ .

Definition 8 (Semantics of commands) Let $\tau$ describe the variables in scope, I be an interpretation and

\begin{align*} \mathit{setVar}_\tau^v&=\lambda(\phi\mathbin{\star}\mu)\in\Sigma_\tau. \phi|_{-{\mathord{\mathtt{res}}}}[v\mapsto\phi({\mathord{\mathtt{res}}})]\mathbin{\star}\mu\\ \mathit{setField}_\tau^{v.{\mathord{\mathtt{f}}}}&= \lambda(\phi\mathbin{\star}\mu)\in\Sigma_\tau.\begin{cases} \phi|_{-{\mathord{\mathtt{res}}}}\mathbin{\star}\mu[l\mapsto\mu(l)[{\mathord{\mathtt{f}}}\mapsto\phi({\mathord{\mathtt{res}}})]] & \text{if $\phi(v)=l\neq{\mathord{\mathtt{null}}}$} \\ \bot & \text{otherwise.} \end{cases} \end{align*}

The semantics for commands $\mathcal{C}_{{\tau}}^{{I}}\unicode{x0301A}{{\mathit{com}}}\unicode{x0301B}:\Sigma_\tau\nrightarrow\Sigma_\tau$ is defined as

\begin{align*} \mathcal{C}_{{\tau}}^{{I}}\unicode{x0301A}{{v\mathbin{\mathtt{\unicode{x02254}}}\mathit{exp}}}\unicode{x0301B}&= \mathit{setVar}_{\tau+\mathit{exp}}^v \circ \mathcal{E}_{\tau}^{I}\unicode{x0301A}{\mathit{exp}}\unicode{x0301B} \\ \mathcal{C}_{{\tau}}^{I}\unicode{x0301A}{v.{\mathord{\mathtt{f}}} \mathbin{\mathtt{\unicode{x02254}}}\mathit{exp}}\unicode{x0301B}&= \mathit{setField}_{\tau+\mathit{exp}}^{v.{\mathord{\mathtt{f}}}} \circ \mathcal{E}_{\tau}^{I}\unicode{x0301A}{\mathit{exp}}\unicode{x0301B}\\ \mathcal{C}_{{\tau}}^{{I}}\unicode{x0301A}{{\begin{aligned} \mathtt{if\ v=w\ then\ }\mathit{com}_1\\ \mathtt{else\ }\mathit{com}_2 \end{aligned}}}\unicode{x0301B}(\phi\mathbin{\star}\mu)&=\begin{cases} \mathcal{C}_{\tau}^{I}\unicode{x0301A}{{\mathit{com}_1}}\unicode{x0301B}(\phi\mathbin{\star}\mu) & \text{if $\phi(v)=\phi(w)$} \\ \mathcal{C}_{{\tau}}^{I}\unicode{x0301A}{{\mathit{com}_2}}\unicode{x0301B}(\phi\mathbin{\star}\mu) & \text{if $\phi(v)\not=\phi(w)$} \end{cases} \\ \mathcal{C}_{{\tau}}^{{I}}\unicode{x0301A}{{\begin{aligned} \mathtt{if\ v=null\ then\ }\mathit{com}_1\\ \mathtt{else\ }\mathit{com}_2 \end{aligned}}}\unicode{x0301B}(\phi\mathbin{\star}\mu)&=\begin{cases} \mathcal{C}_{\tau}^{I}\unicode{x0301A}{\mathit{com}_1}\unicode{x0301B}(\phi\mathbin{\star}\mu) & \text{if $\phi(v)={\mathord{\mathtt{null}}}$} \\ \mathcal{C}_{\tau}^{i}\unicode{x0301A}{{\mathit{com}_2}}\unicode{x0301B}(\phi\mathbin{\star}\mu) & \text{if $\phi(v)\not={\mathord{\mathtt{null}}}$} \end{cases}\\ \mathcal{C}_{\tau}^{I}\unicode{x0301A}{\{\mathit{com}_1;\ldots;\mathit{com}_p\}}\unicode{x0301B}&= (\lambda\sigma\in\Sigma_\tau.\sigma) \circ\mathcal{C}_{{\tau}}^{I}\unicode{x0301A}{{\mathit{com}_p}}\unicode{x0301B}\circ\cdots\circ \mathcal{C}_{\tau}^{{I}}\unicode{x0301A}{\mathit{com}_1}\unicode{x0301B}. \end{align*}

The identity function $\lambda\sigma\in\Sigma_\tau.\sigma$ in the semantics of the sequence of commands is needed when $p=0$ .

Each method $\kappa.{\mathord{\mathtt{m}}}$ is denoted by a partial function from input to output states and an interpretation I maps methods to partial functions on states, such that $I({\kappa.{\mathord{\mathtt{m}}}}):\Sigma_{\mathit{input}(\kappa.{\mathord{\mathtt{m}}})}\nrightarrow\Sigma_{\mathit{output}(\kappa.{\mathord{\mathtt{m}}})}$ , with the type environments:

\begin{align*}\mathit{input}(\kappa.{\mathord{\mathtt{m}}}) & = [{\mathord{\mathtt{this}}}\mapsto\kappa,w_1\mapsto\kappa_1,\ldots,w_n\mapsto\kappa_n] \\\mathit{output}(\kappa.{\mathord{\mathtt{m}}})&=[{\mathord{\mathtt{out}}}\mapsto\kappa_0,w'_1\mapsto\kappa_1,\ldots,w'_n\mapsto\kappa_n] \mbox{ and}\\\mathit{scope}(\kappa.{\mathord{\mathtt{m}}})&=\begin{aligned}[t]\mathit{input}(\kappa.{\mathord{\mathtt{m}}})& \cup \mathit{output}(\kappa.{\mathord{\mathtt{m}}}) \\& \cup [w_{n+1}\mapsto\kappa_{n+1},\ldots,w_{n+m}\mapsto \kappa_{n+m}]\end{aligned}\end{align*}

where $w'_1,\ldots,w'_n$ are fresh variables used to keep track of the actual parameters. Each $w'_i$ is automatically assigned to the same value of the corresponding $w_i$ at the beginning of the method execution, and it is never changed later.

Example 9. Consider the method ${\mathord{\mathtt{makeTree}}}$ in Section 1.4. We have that

\begin{align*} \mathit{input}(\mathtt{Tree}.{\mathord{\mathtt{makeTree}}}) & =[{\mathord{\mathtt{this}}} \mapsto \mathtt{Tree}, n \mapsto \mathtt{Integer}] \\ \mathit{output}(\mathtt{Tree}.{\mathord{\mathtt{makeTree}}}) & = [{\mathord{\mathtt{out}}} \mapsto \mathtt{Tree},n' \mapsto \mathtt{Integer}]\\ \mathit{scope}(\mathtt{Tree}.{\mathord{\mathtt{makeTree}}}) & = \begin{aligned}[t] \mathit{input}(\mathtt{Tree}.{\mathord{\mathtt{makeTree}}}) & \cup \mathit{output}(\mathtt{Tree}.{\mathord{\mathtt{makeTree}}}) \cup [m \mapsto \mathtt{Integer}] . \end{aligned} \end{align*}

The denotational semantics of a program is the least fixpoint of a transformer on interpretations which maps an interpretation I into a new interpretation I’ evaluating the bodies of the methods in I from an input state where local variables are bound to ${\mathord{\mathtt{null}}}$ . If $\kappa.{\mathord{\mathtt{m}}}$ is defined as

\begin{equation*}\mathtt{\kappa_0\ m(}w_1\!:\!\kappa_1,\ldots,w_n\!:\!\kappa_n\mathtt{)}\mathtt{\ with\ }w_{n+1}\!:\!\kappa_{n+1},\ldots,w_{n+m}\!:\!\kappa_{n+m}\mathtt{\ is\ }\mathit{com}\end{equation*}

we have

\begin{equation*}\begin{array}{lll}I'(\kappa.{\mathord{\mathtt{m}}}) &= &(\lambda\phi\mathbin{\star}\mu\in\Sigma_{\mathit{scope}(\kappa.{\mathord{\mathtt{m}}})}.\,\phi|_{dom(\mathit{output}(\kappa.{\mathord{\mathtt{m}}}))}\mathbin{\star}\mu) \, \circ \, \mathcal{C}_{\mathit{scope}(\kappa.{\mathord{\mathtt{m}}})}^{I}\unicode{x0301A}{\mathit{body}(\kappa.{\mathord{\mathtt{m}}})}\unicode{x0301B} \circ \\&&(\lambda\phi\mathbin{\star}\mu\in\Sigma_{\mathit{input}(\kappa.{\mathord{\mathtt{m}}})}.\,\phi[{\mathord{\mathtt{out}}}\mapsto{\mathord{\mathtt{null}}}, w'_1 \mapsto \phi(w_1),\ldots, w'_n \mapsto \phi(w_n),\\&& \quad \quad w_{n+1}\mapsto{\mathord{\mathtt{null}}},\ldots,w_{n+m}\mapsto{\mathord{\mathtt{null}}}]\mathbin{\star}\mu) \enspace .\end{array}\end{equation*}

3. Reachability, Sharing, Linearity, and Aliasing

We formalize here the concepts of reachability, sharing, linearity, and aliasing for objects. In a later section, we will use these concepts to introduce the new abstract domain $\mathsf{ALPS}$ . The following definition will simplify notation later.

Definition 10 (Fields of locations) Given $\sigma=\phi\mathbin{\star}\mu \in \Sigma_\tau$ , $l \in dom(\mu)$ , ${\mathord{\mathtt{f}}}$ an identifier and $\bar {\mathord{\mathtt{f}}} = {\mathord{\mathtt{f}}}_1,\ldots, {\mathord{\mathtt{f}}}_n$ a possibly empty sequence of identifiers, when they exist we write

  • $l.{\mathord{\mathtt{f}}}$ for $\mu(l).\phi({\mathord{\mathtt{f}}})$ , the location reachable from l through the field ${\mathord{\mathtt{f}}}$ ;

  • $l.\bar{\mathord{\mathtt{f}}}$ for $l.{\mathord{\mathtt{f}}}_1.\ldots.{\mathord{\mathtt{f}}}_n$ ; if $\bar {\mathord{\mathtt{f}}}$ is empty, $l.\bar {\mathord{\mathtt{f}}}=l$ .

Every time we use these notations, we implicitly require that the conditions guaranteeing their existence are satisfied. The following proposition states very simple results relating types and states.

Proposition 11. Given $\sigma=\phi\mathbin{\star}\mu \in \Sigma_\tau$ , ${\mathord{\mathtt{f}}}$ an identifier and $l, l' \in dom(\mu)$ , then:

  1. (1). $l.{\mathord{\mathtt{f}}}$ exists iff $\tau(l).{\mathord{\mathtt{f}}}$ exists;

  2. (2). if $l.{\mathord{\mathtt{f}}}$ exists and $l.{\mathord{\mathtt{f}}}\neq {\mathord{\mathtt{null}}}$ , then $\tau(l.{\mathord{\mathtt{f}}}) \leq\tau(l).{\mathord{\mathtt{f}}}$ .

These properties essentially derive from the $\tau$ -correctness of $\sigma$ . In particular, (2) means that the actual type of the object pointed to by a field is a subtype of the formal type of the field.

Definition 12 (Sharing and linearity for locations) Given $\sigma = \phi \mathbin{\star} \mu \in \Sigma_\tau$ and $l_1, l_2 \in dom(\mu)$ , we say that:

  1. (1). $l_1$ and $l_2$ share in $\sigma$ when there are $\bar {\mathord{\mathtt{f}}}_1$ , $\bar {\mathord{\mathtt{f}}}_2$ such that $l_1.\bar {\mathord{\mathtt{f}}}_1 = l_2.\bar {\mathord{\mathtt{f}}}_2 \neq {\mathord{\mathtt{null}}}$ ;

  2. (2). $l_1$ is nonlinear in $\sigma$ when there are $\bar{{\mathord{\mathtt{f}}}}_1 \neq \bar{{\mathord{\mathtt{f}}}}_2$ such that $l_1.\bar {\mathord{\mathtt{f}}}_1 = l_1.\bar {\mathord{\mathtt{f}}}_2 \neq {\mathord{\mathtt{null}}}$ ; otherwise, $l_1$ is said to be linear.

Note that, for any location $l \in dom(\mu)$ , we have that l shares with itself.

Example 13. Consider the state $\sigma=\phi\mathbin{\star}\mu$ in Example 2. We have that $l_0$ and $l_1$ share in $\sigma$ , since $l_0.{\mathord{\mathtt{r}}}.{\mathord{\mathtt{r}}}.{\mathord{\mathtt{r}}} = l_1.{\mathord{\mathtt{l}}}.{\mathord{\mathtt{l}}}.{\mathord{\mathtt{l}}} = l_7$ , while $l_2$ and $l_4$ do not share. Moreover, all the locations are linear.

If $l.{\mathord{\mathtt{f}}}=l'$ it means that l’ is reachable from l. If we ignore the field ${\mathord{\mathtt{f}}}$ , we obtain the standard notion of reachability.

Definition 14 (Reachability relations) Given $\sigma= \phi\mathbin{\star}\mu \in \Sigma_\tau$ and $l, l' \in dom(\mu)$ , we write

  • $l \xrightarrow{}_\sigma l'$ iff there is a field ${\mathord{\mathtt{f}}}$ such that $l' = l.{\mathord{\mathtt{f}}}$ ;

  • $l \xrightarrow{*}_\sigma l'$ iff there is a sequence of fields $\bar{{\mathord{\mathtt{f}}}}$ such that $l' = l.\bar {\mathord{\mathtt{f}}}$ .

Moreover, we denote by $\mathord{\mathit{RLoc_\sigma}}(l) = \{l' \in dom(\mu) \mid l \xrightarrow{*}_\sigma l'\}$ the set of locations reachable from $l \in dom(\mu)$ . By convention, we assume $\mathord{\mathit{RLoc_\sigma}}(l) = \emptyset$ for $l \notin dom(\mu)$ .

Example 15. Consider the state $\sigma=\phi\mathbin{\star}\mu$ in Example 2. We have that:

\begin{align*} \mathord{\mathit{RLoc_\sigma}}(l_0) & = \{l_0,l_2,l_3,l_5,l_7\} & \mathord{\mathit{RLoc_\sigma}}(l_4) & = \{l_4,l_6,l_7\}\\ \mathord{\mathit{RLoc_\sigma}}(l_1) & = \{l_1,l_4,l_6,l_7\} & \mathord{\mathit{RLoc_\sigma}}(l_5) & = \{l_5,l_7\}\\ \mathord{\mathit{RLoc_\sigma}}(l_2) & = \{l_2\} & \mathord{\mathit{RLoc_\sigma}}(l_6) & = \{l_6,l_7\}\\ \mathord{\mathit{RLoc_\sigma}}(l_3) & = \{l_3,l_5,l_7\} & \mathord{\mathit{RLoc_\sigma}}(l_7) & = \{l_7\}\end{align*}

Using reachability we may give an alternative characterization of sharing between locations.

Proposition 16. Given $\sigma =\phi\mathbin{\star}\mu \in \Sigma_\tau$ and locations $l_1, l_2 \in dom(\mu)$ , we have that $l_1$ shares with $l_2$ iff $\mathord{\mathit{RLoc_\sigma}}(l_1) \cap \mathord{\mathit{RLoc_\sigma}}(l_2) \neq \emptyset$ .

An analogous characterization for linearity is not possible, since we need to discern among different ways of reaching the same location.

Using reachability, we refine our definition of interpretation, by requiring that a method does not access locations L of the input state which are not reachable from the actual parameters. Programming languages such as Java and that of Section 2.2 satisfy these constraints. This restriction will let us prove the correctness of method calls in the abstract semantics.

Definition 17 (Interpretation) An intepretation I maps methods to partial functions on state, that is, $I({\kappa.{\mathord{\mathtt{m}}}}): \Sigma_{\mathit{input}(\kappa.{\mathord{\mathtt{m}}})}\nrightarrow\Sigma_{\mathit{output}(\kappa.{\mathord{\mathtt{m}}})}$ , in such a way that if $I(\kappa.{\mathord{\mathtt{m}}})(\phi\mathbin{\star}\mu)=\phi'\mathbin{\star}\mu'$ and $L=dom(\mu)\setminus(\bigcup\{ \mathord{\mathit{RLoc_\sigma}}(\phi(v))\mid v\in dom({\mathit{input}(\kappa.{\mathord{\mathtt{m}}})})\})$ then $\mu|_L=\mu'|_L$ , $\phi'({\mathord{\mathtt{out}}})\not\in L$ and $\bigcup\{rng(\mu'(l).\phi)\cap L\mid l\in dom(\mu'|_{-L})\}=\emptyset$ .

Note that the transformer of interpretations in Section 2.2.2 respects the conditions in Definition 17. Interpretations could be further restricted in such a way that if $I(\kappa.{\mathord{\mathtt{m}}})(\phi\mathbin{\star}\mu)=\phi'\mathbin{\star}\mu'$ then $rng(\phi')\cap L = \emptyset$ . We do not enforce this condition since it is not necessary to prove correctness of the abstract semantics.

3.1 Reachability among identifiers

As we said before, we want to record sharing and linearity information not only for variables in the type environment but also for their fields. Therefore, we introduce some notation to treat variables and their fields as uniformly as possible.

Definition 18 (Qualified fields and identifiers) Given a type environment $\tau$ , we call qualified field an expression $v.{\mathord{\mathtt{f}}}$ where $v \in dom(\tau)$ and ${\mathord{\mathtt{f}}} \in dom(\tau(v))$ and we call qualified identifier either a variable in $dom(\tau)$ or a qualified field. We denote by $Q_\tau$ and $I_\tau$ the set of qualified fields and identifiers, respectively.

It is worth noting that we only consider fields that are in the declared type of the variables, and we do not consider further fields that are in the actual type. This choice, although it may decrease the precision of the analysis, simplifies a lot the correspondence between abstract and concrete semantics and may increase the speed of the analysis. Note that since $dom(\tau)$ is finite, we have that $I_\tau$ is also finite.

Example 19. In Example 2, the qualified fields are $Q_\tau=\{ \mathit{v_7}.{\mathord{\mathtt{l}}},\mathit{v_7}.{\mathord{\mathtt{r}}},\mathit{v_{8}}.{\mathord{\mathtt{l}}}, \mathit{v_{8}}.{\mathord{\mathtt{r}}} \}$ and the qualified identifiers are $I_\tau = \{\mathit{v_7},\mathit{v_{8}} \}\cup Q_\tau$ .

Definition 20 (Locations for qualified fields) If $\sigma = \phi \mathbin{\star} \mu \in \Sigma_\tau$ and $v.{\mathord{\mathtt{f}}} \in Q_\tau$ , for uniformity of notation with variables we define $\phi(v.{\mathord{\mathtt{f}}}) = {\mathord{\mathtt{null}}}$ if $\phi(v)={\mathord{\mathtt{null}}}$ , $\phi(v.{\mathord{\mathtt{f}}})=\phi(v).{\mathord{\mathtt{f}}}$ otherwise. In other words, if $\phi(v.{\mathord{\mathtt{f}}}) \neq {\mathord{\mathtt{null}}}$ , then $\phi(v.{\mathord{\mathtt{f}}})$ is the location pointed to by the field ${\mathord{\mathtt{f}}}$ in the variable v.

The following proposition states that the runtime type of a qualified identifiers is a subtype of its declared type.

Proposition 21. For each $i \in I_\tau$ and $\sigma= \phi\mathbin{\star}\mu\in\Sigma_\tau$ , we have that $\phi(i) \neq {\mathord{\mathtt{null}}}$ implies $\tau(\phi(i)) \leq \tau(i)$ .

We now lift the definitions and properties of sharing and linearity from locations to identifiers.

Definition 22. (Sharing, linearity, and aliasing) Let $\sigma \in \Sigma_\tau$ and $i_1, i_2 \in I_\tau$ . We say that:

  • $i_1 $ and $i_2$ share in $\sigma$ when $\phi(i_1) \neq {\mathord{\mathtt{null}}} \neq \phi(i_2)$ and $\phi(i_1)$ , $\phi(i_2)$ share in $\sigma$ ;

  • $i_1$ is nonlinear in $\sigma$ when $\phi(i_1) \neq{\mathord{\mathtt{null}}}$ and $\phi(i_1)$ is nonlinear in $\sigma$ ; otherwise, $i_1$ is said to be linear.

  • $i_1 $ and $i_2$ are (weakly) aliased in $\sigma$ when $\phi(i_1)=\phi(i_2)$ .

Note that two identifiers that are both ${\mathord{\mathtt{null}}}$ are considered to be weakly aliased.

Example 23. In Figure 10, the field $\mathit{v_7}.{\mathord{\mathtt{r}}}$ shares with $\mathit{v_8}.{\mathord{\mathtt{l}}}$ . As a consequence, $\mathit{v_7}$ shares with $\mathit{v_8}.{\mathord{\mathtt{l}}}$ and $\mathit{v_8}$ . The field $\mathit{v_7}.{\mathord{\mathtt{l}}}$ shares only with itself and the parent. The identifiers $v_7$ and $v_8$ are linear, while $v_5$ , $\mathit{v_5}.{\mathord{\mathtt{r}}},$ and $v_6$ in Figure 6 are not linear.

Note that a qualified identifier $i \in I_\tau$ shares with itself if and only if it is not ${\mathord{\mathtt{null}}}$ . Moreover, each $i \in I_\tau$ such that $\phi(i)= {\mathord{\mathtt{null}}}$ is linear and does not share with any other identifier.

Definition 24 (Reachability for qualified identifiers) Let $\sigma = \phi \mathbin{\star} \mu \in \Sigma_\tau$ and $i \in I_\tau$ . We define the set of locations reachable from i in $\sigma$ as $\mathord{\mathit{RLoc_\sigma}}(i)=\mathord{\mathit{RLoc_\sigma}}(\phi(i))$ if $\phi(i)\neq {\mathord{\mathtt{null}}}$ , $\emptyset$ otherwise.

Note that the reachability set for a variable is related to the reachability set of its qualified fields. This is formalized by the following result.

Proposition 25. Let $\sigma = \phi \mathbin{\star} \mu \in \Sigma_\tau$ and $v \in dom(\tau)$ . If $\phi(v)\neq{\mathord{\mathtt{null}}}$ , then

\begin{equation*} \mathord{\mathit{RLoc_\sigma}}(v) \supseteq \{ \phi(v) \} \cup \bigcup_{v.{\mathord{\mathtt{f}}} \in Q_\tau} \mathord{\mathit{RLoc_\sigma}}(v.{\mathord{\mathtt{f}}}) \enspace . \end{equation*}

Equality does not hold since there is some sharing information in $\mathord{\mathit{RLoc_\sigma}}(v)$ which is not derivable from the sharing information of its fields. This is due to the fact that we consider only fields in the declared type of a variables. Thus, further sharing relationships may exist in other fields which do not belong to the declared type.

3.2 Class-induced reachability

It must be observed that two qualified identifiers might never be able to share if their static types do not let them be bound to overlapping data structures. Analogously, certain qualified identifiers are forced to be linear.

Example 26. In Example 1, we have that a $\mathtt{Tree}$ is not an $\mathtt{Integer}$ , an $\mathtt{Integer}$ is not a $\mathtt{Tree}$ , and they do not have any field which can share. Therefore, any identifier of type $\mathtt{Tree}$ can never share with any identifier of type $\mathtt{Integer}$ . Moreover, any identifier of type $\mathtt{Integer}$ may only be linear.

Example 27. Consider the following classes:

class A { B b; } class C { }class B { C c; } class B1 extends B { }

Then, every object of class $\mathtt{A}$ is linear.

Identifying pair of classes which cannot share, or that are forced to be linear, may improve the result of the analysis. This is the topic of the rest of this section.

Definition 28 (Class reachability) We define a reachability relation between classes given by $\kappa \xrightarrow{}\kappa'$ iff exists an identifier ${\mathord{\mathtt{f}}}$ such that $\kappa' \leq \kappa.{\mathord{\mathtt{f}}}$ . We denote by $\xrightarrow{*}$ the reflexive and transitive closure of $\xrightarrow{}$ .

In Definition 28, if a class $\kappa'$ (different from $\kappa$ ) is reachable from $\kappa$ , then all its subclasses $\downarrow\kappa'$ are considered reachable. This reflects the fact that we consider a language with (checked) casts. The following proposition relates reachability with class reachability: if location $l_2$ is reachable from $l_1$ , the type of $l_2$ should be reachable from the type of $l_1$ .

Proposition 29. Given $\sigma = \phi \mathbin{\star} \mu \in \Sigma_\tau$ and $l_1, l_2 \in dom(\mu)$ , if $l_1 \xrightarrow{*}_\sigma l_2$ , then $\tau(l_1) \xrightarrow{*} \tau(l_2)$ .

This notion of class reachability corresponds to the one in Secci and Spoto (Reference Secci and Spoto2005a) if we denote by $C(\kappa)$ the set of classes reachable by $\downarrow \kappa$ , that is,

\begin{equation*}C(\kappa) = \{ \kappa' \mid \kappa'' \in \downarrow \kappa\text{ and } \kappa'' \xrightarrow{*} \kappa' \} \enspace .\end{equation*}

We introduce this alternative notation since it will be convenient in the next definitions.

Example 30. Consider the classes in Example 1, we have that $C(\mathtt{Tree})=\{\mathtt{Tree}\}$ and $C(\mathtt{Integer})=\{\mathtt{Integer}\}$ . Therefore, any identifier of type $\mathtt{Tree}$ can never share with an identifier of type $\mathtt{Integer}$ . Given the classes in Example 27, we have $C(\mathtt{A})=\{ \mathtt{A},\mathtt B, \mathtt{B1}, \mathtt{C} \}$ .

We will denote by NL the set of classes whose instances may be nonlinear and by ${SH} \,$ the set of pair of classes which may share. Both NL and SH may be computed using class reachability, that is, by typing information only.

First of all, note that identifiers $i_1$ and $i_2$ may share only if there is a common location l which is reachable both from $\phi(i_1)$ and $\phi(i_2)$ . Therefore, the class $\tau(l)$ should be class reachable from both $\tau(\phi(i_1))$ and $\tau(\phi(i_2))$ . This is formalized by the following:

Definition 31 (The SH set) Given the type environment $\tau$ , we define the set of pairs of classes which may share:

\begin{equation*} {SH}=\{ (\kappa, \kappa') \mid C(\kappa) \cap C(\kappa') \neq \emptyset \} \enspace . \end{equation*}

Proposition 32. Given $i_1, i_2 \in I_\tau$ , and $\sigma \in \Sigma_\tau$ , if $i_1$ and $i_2$ share in $\sigma$ , then $(\tau(i_1), \tau(i_2)) \in {SH}$ .

We now consider the problem of linearity induced by type information. In general, an object of class $\kappa$ may be nonlinear either if $\kappa$ has two fields which may share, it has a field which may share with itself or if a nonlinear class $\kappa'$ is reachable from $\kappa$ . This is formalized by the following:

Definition 33 (The NL set) The set NL of nonlinear classes is the upward closure of the least solution of the equation:

\begin{multline*}\mathcal S = \{ \kappa \mid C(\kappa.{\mathord{\mathtt{f}}}_1) \cap C(\kappa.{\mathord{\mathtt{f}}}_2) \neq \emptyset,{\mathord{\mathtt{f}}}_1 \neq {\mathord{\mathtt{f}}}_2 \}\cup \{ \kappa \mid \kappa \in C(\kappa.{\mathord{\mathtt{f}}}) \} \cup \{ \kappa \mid \kappa\xrightarrow{} \kappa', \kappa' \in \mathcal S \}\enspace .\end{multline*}

Note that $\mathit{NL}$ is upward closed by definition. If $\kappa$ is possibly nonlinear, the same holds for any $\kappa' \geq \kappa$ since a variable of type $\kappa'$ may actually point to an object of class $\kappa$ .

Proposition 34. Given $\sigma \in \Sigma_\tau$ and $i \in I_\tau$ , if i is not linear in $\sigma$ , then $\tau(i) \in {NL}$ .

In the following sections, we use the concepts of sharing, linearity, and aliasing introduced before to define a new abstract domain, called $\mathsf{ALPS}$ (Aliasing Linearity Pair Sharing), for the analysis of Java-like programs.

4. Aliasing Graphs

We start by defining a basic domain encoding definite aliasing. The domain will also encode definite nullness, which is a useful and basic property of Java programs.

Definition 35 (Pre-aliasing graphs) A pre-aliasing graph over the type environment $\tau$ is a directed graph $G = N \mathbin{\star} E \mathbin{\star} \ell$ such that:

  • N is the finite set of nodes;

  • $E \subseteq N \times \mathord{\mathit{Ide}} \times N$ is the set of directed edges, each labeled by an identifier;

  • $\ell: dom(\tau) \nrightarrow N$ is a partial map from variables to nodes;

with the additional condition that

  • $\forall n \in N, \forall {\mathord{\mathtt{f}}} \in \mathord{\mathit{Ide}}$ , there is at most an outgoing edge from n labeled by ${\mathord{\mathtt{f}}}$ and

  • $\forall n \in N, \forall {\mathord{\mathtt{f}}} \in \mathord{\mathit{Ide}}$ , if $n \xrightarrow{{\mathord{\mathtt{f}}}} n' \in E$ then there exists $v \in dom(\tau)$ such that $\ell(v)=n$ and $v.{\mathord{\mathtt{f}}} \in Q_\tau$ .

When it is clear from the context, we denote $G.N$ , $G.E$ , and $G.\ell$ just by N, E, and $\ell$ . Moreover, we denote $G_i.N$ , $G_i.E$ , and $G_i.\ell$ by $N_i$ , $E_i$ , $\ell_i$ , and similarly for other typographical variants of G.

Example 36. Consider three classes $\mathtt{A},\mathtt{B},\mathtt{C}$ where $\mathtt{B}$ extends $\mathtt{A}$ and has two fields ${\mathord{\mathtt{f}}}$ and $\mathtt{g}$ of class $\mathtt{B}$ . We have that $\mathcal{K}=\{\top,\mathtt{A},\mathtt{B},\mathtt{C}\}$ with $\mathtt{B} \leq \mathtt{A}$ and $\mathtt{B}=[{\mathord{\mathtt{f}}} \mapsto \mathtt{B},\mathtt{g} \mapsto \mathtt{B}]$ , while $\mathtt{A}=\mathtt{C}=[]$ . Given variables $a_1,a_2,b_1,b_2,c \in \mathord{\mathit{Ide}}$ with $\tau=[a_1 \mapsto \mathtt{A},a_2 \mapsto \mathtt{A}, b_1 \mapsto \mathtt{B},b_2 \mapsto \mathtt{B},c \mapsto \mathtt{C}]$ , Figure 12A shows a pre-aliasing graph over $\tau$ .

Figure 12. A pre-aliasing graph for the type environment in Example 36.

We can extend $\ell$ from variables to qualified fields. Note that $\ell(v.{\mathord{\mathtt{f}}})$ only depends on $\ell(v)$ and not from v itself.

Definition 37 (Extension of $\ell$ ) Given a pre-aliasing graph $G = N \mathbin{\star} E \mathbin{\star} \ell$ , we extend $\ell$ on qualified fields $v.{\mathord{\mathtt{f}}} \in Q_\tau$ by

\begin{equation*}\ell(v.{\mathord{\mathtt{f}}}) = \begin{cases}n & \text{if $\ell(v) \neq \bot \wedge \ell(v)\xrightarrow{{\mathord{\mathtt{f}}}} n \in E$}\\\bot & \text{otherwise}\end{cases}\end{equation*}

When it helps readability, we will annotate nodes in aliasing graphs both with variables and qualified fields. See, for example, Figure 12B. Moreover, in the examples we will denote a node n by any identifier i such that $\ell(i)=n$ .

The idea of a pre-aliasing graph is that, given an identifier $i \in I_\tau$ , $\ell(i)=\bot$ means i is definitely ${\mathord{\mathtt{null}}}$ , while $\ell(i)=\ell(j)$ means that i and j are either both ${\mathord{\mathtt{null}}}$ or aliased. Since we aim at designing a domain which encodes definite aliasing and nullness, we define a preorder on pre-aliasing graphs such that $G_1 \preceq G_2$ when $G_1$ has more aliasing and nullness information than $G_2$ .

Definition 38 (Preordering on pre-aliasing graphs) Given two pre-aliasing graphs $G_1$ and $G_2$ , we say that $G_1 \preceq G_2$ iff

  • for each $i, i' \in I_\tau$ , $\ell_2(i)=\ell_2(i') \Rightarrow\ell_1(i)=\ell_1(i')$ ;

  • for each $i \in I_\tau$ , $\ell_2(i)=\bot \Rightarrow \ell_1(i)=\bot$ .

Note that, given their intended meaning, some pre-aliasing graphs contain redundant information. For example, nodes which are not labeled by any qualified identifiers may be removed. On the converse, two identifiers $i_1,i_2$ of incomparable types may be (weak) aliased only if they are both ${\mathord{\mathtt{null}}}$ . We therefore restrict our attention to the pre-aliasing graphs which present some additional regularity conditions.

Definition 39 (Aliasing graph) An aliasing graph is a pre-aliasing graph G such that, for all $n \in N$ , $\{ \tau(i) \mid i \in I_\tau \wedge \ell(i)=n \}$ is a nonempty chain. We denote by $\mathcal{G}_\tau$ the set of aliasing graphs over the type environment $\tau$ , by $\tau_G(n) = \bigwedge \{ \tau(i) \mid i \in I_\tau \wedge \ell(i)=n \}$ the type of the node n and by $\psi_G(n) = \bigwedge \{ \tau(w) \mid w \in dom(\tau) \wedge \ell(w)=n \}$ for the type that may be inferred by variables only, with the proviso that the meet of an empty set of classes is $\top$ .

Note that, although the type $\tau_G(n)$ depends on all the qualified identifiers labeling that node, the edges possibly departing from the nodes depend on $\psi_G(n)$ only. We could have also adopted another approach for pre-aliasing graphs and allow edges $n \xrightarrow{{\mathord{\mathtt{f}}}} m$ if ${\mathord{\mathtt{f}}}$ is a field in $\tau_G(n)$ . Although this could potentially improve precision, it comes at the cost of a greater complexity of several operations.

Example 40. The pre-aliasing graph in Figure 12A is not an aliasing graph due to the rightmost node $b_2 c$ since $\tau(b_2)=\mathtt{B}$ , $\tau(c)=\mathtt{C}$ but $\{\mathtt{B},\mathtt{C}\}$ is not a chain. This means that the variables $b_2$ and c can never be aliased (and thus are both ${\mathord{\mathtt{null}}}$ ).

4.1 Morphisms of aliasing graphs

We give in this section a different characterization of the preordering over aliasing graphs.

Definition 41 (Morphism of aliasing graphs) A morphism of aliasing graphs $h: G_1 \rightarrow G_2$ in $\mathcal{G}_\tau$ is a partial map $h: N_1 \nrightarrow N_2$ such that, for each $i \in I_\tau$ , $h(\ell_1(i))= \ell_2(i)$ .

This notion of morphism respects the intended meaning of aliasing graphs. If $h: G_1 \rightarrow G_2$ and $\ell_1(v) = \bot$ , then $\ell_2(v)=\bot$ . Moreover, if $\ell_1(v)=\ell_1(w)$ , then $\ell_2(v)=\ell_2(w)$ . Aliasing morphisms enjoys many interesting properties. In particular,

Theorem 42. Given two aliasing graphs $G_1, G_2$ , there exists a morphism from $G_2$ to $G_1$ if and only if $G_1 \preceq G_2$ . Moreover, the morphism, when it exists, is unique.

It is often easier to think in terms of morphism than to check whether Definition 38 holds: most of the proofs of the properties in this section use graph morphisms and the characterization in Theorem 42. Moreover, morphisms will be pivotal in Section 5 when comparing sharing and linearity information attached to different aliasing graphs.

Example 43. Let us consider the following classes:

class B; class A extends B { B l; B r; }

and the type environment $\tau = [a \mapsto \mathtt{A}, b \mapsto \mathtt{B}]$ . Consider the aliasing graphs $G_1$ and $G_2$ , respectively, in Figure 13A and B. There is a morphism $h: G_2 \to G_1$ given by $\{n_3 \mapsto n_1, n_6 \mapsto n_1, n_4 \mapsto n_2 \}$ , since

\begin{gather*} h(\ell_2(a))= h(n_3) = n_1 = \ell_1(a) \qquad h(\ell_2(b))= h(n_6) = n_1 = \ell_1(b) \\ h(\ell_2(a.{\mathord{\mathtt{l}}}))=h(n_4) = n_2 = \ell_1(a.{\mathord{\mathtt{l}}}) \qquad h(\ell_2(a.{\mathord{\mathtt{r}}}))=h(n_5)=\bot = \ell(a.{\mathord{\mathtt{r}}}) \end{gather*}

By Theorem 42, we have that $G_1 \preceq G_2$ .

Figure 13. Comparison of aliasing graphs. We have explicitly annotated each node with its identity.

4.2 The lattice of aliasing graphs

We now show that $\preceq$ for aliasing graphs has least upper bounds and greatest lower bounds, and we show how to build them.

We begin by defining a new aliasing graph $G_1 \curlyvee G_2$ , which we will later prove to be the least upper bound. In the definition, we use the inverse function $\ell^{-1}$ . Note that $\ell^{-1}$ may be different if we consider $\ell$ as the map $\ell: dom(\tau) \nrightarrow N$ in Definition 35 or as the map $\ell: I_\tau \nrightarrow N$ in Definition 37. When it is not specified, the latter is assumed.

Definition 44. Given $G_1, G_2\in \mathcal{G}_\tau$ , let $X=\ell_1^{-1}(N_1) \cup \ell_2^{-1}(N_2)$ and let $\sim \subseteq X \times X$ be the equivalence relation on $I_\tau$ such that $i \sim i' \iff \ell_1(i)=\ell_1(i') \wedge \ell_2(i)=\ell_2(i')$ . We define the aliasing graph $G_1 \curlyvee G_2 = N \mathbin{\star} E \mathbin{\star} \ell$ where

  • $N = X/\mathrm{\sim}$ is the set of equivalence classes of X;

  • for any $v \in dom(\tau)$ , $\ell(v)=[v]_\sim$ if $v \in X$ , $\ell(v)=\bot$ otherwise;

  • $S_1 \xrightarrow{{\mathord{\mathtt{f}}}} S_2 \in E$ iff there exists $v \in S_1$ s.t. $v.{\mathord{\mathtt{f}}} \in S_2$ .

Example 45. Let us consider the same classes and type environment of Example 43. Figure 14 shows an example of lub of aliasing graphs. Note that, even without knowing the class definitions, the graphs contain enough information to justify the result of the operation. For example, in Figure 14A, the fact that the left child of the node ab does not contain $b.{\mathord{\mathtt{l}}}$ means that that ${\mathord{\mathtt{l}}}$ is not a field of $\tau(b)$ , hence $\tau(a)$ is a subclass of $\tau(b)$ .

Figure 14. Least upper bound of aliasing graphs.

An analogous, although more complex, definition may be given for $G_1 \curlywedge G_2$ , which we will later prove to be the greatest lower bound of aliasing graphs.

Definition 46. Given $G_1, G_2\in \mathcal{G}_\tau$ , let $\sim \subseteq I_\tau \times I_\tau$ be the least equivalence relation on $I_\tau$ such that $\ell_1(i) =\ell_1( i') \vee \ell_2(i) =\ell_2( i') \Rightarrow i \sim i'$ . Moreover, let N be the largest subset of $I_\tau/\sim$ such that:

  • $N \subseteq \{[i]_\sim \mid i \in I_\tau, \tau([i]_\sim) \text{ is a chain and } [i]_{\sim} \subseteq \ell_1^{-1}(N_1) \cap \ell_2^{-1}(N_2)\}$ ;

  • if $[v]_\sim \notin N$ , then $[v.{\mathord{\mathtt{f}}}]_\sim \notin N$ .

We define the aliasing graph $G_1 \curlywedge G_2 = N \mathbin{\star} E \mathbin{\star} \ell$ where

  • $\ell: dom(\tau) \nrightarrow N$ such that $\ell(v)=[v]_\sim$ if $[v]_\sim \in N$ , $\ell(v)=\bot$ otherwise;

  • $S_1 \xrightarrow{{\mathord{\mathtt{f}}}} S_2 \in E$ iff there exists $v \in dom(\tau), v \in S_1$ s.t. $v.{\mathord{\mathtt{f}}} \in S_2$ .

The definition above is similar to the one for $\curlyvee$ : we start from defining an equivalence relation $\sim$ which propagates weak aliasing and we define $G_1 \curlywedge G_2$ whose nodes are equivalence classes of identifiers modulo $\sim$ . However, propagation of nullness is more complex. There are several situations which may force an identifier to be null.

  • It may be that $i_1 \sim i_2$ , but $i_2$ is null in either $G_1$ or $G_2$ . In this case, both $i_1$ and $i_2$ are forced to be null. This is the reason of the condition “ $[i]_{\sim} \subseteq \ell_1^{-1}(N_1) \cap \ell_2^{-1}(N_2)$ ” in the first clause of the definition for N.

  • Assume $\tau(i) = \kappa$ , $\tau(i_1)=\kappa_1$ , and $\tau(i_2)=\kappa_2$ , such that $\kappa_1 \leq \kappa$ , $\kappa_2 \leq \kappa$ with $\kappa_1$ and $\kappa_2$ incomparable. It may happen that $\ell_1(i)=\ell_1(i_1)$ and $\ell_2(i)=\ell_2(i_2)$ , which implies $i \sim i_1 \sim i_2$ . However, this forces i, $i_1$ , and $i_2$ to be null, since there is no object which is both an element of $\kappa_1$ and $\kappa_2$ . This is cared by the condition “ $\tau([i]_\sim)$ is a chain” in the first clause of the definition for N.

  • If variable v is forced to be null for one of the reasons above, then fields of v cannot exist. This is cared of by the second clause of the definition for N.

Example 47. Let us consider the following classes:

class A { A l; } class B extends A { A r; }

and the type environment $\tau = [a \mapsto \mathtt{A}, b \mapsto \mathtt{B}]$ . Figure 15 shows an example of glb of aliasing graphs.

Figure 15. Greatest lower bound of aliasing graphs.

The following theorem proves that $\curlyvee$ and $\curlywedge$ are actually the least upper bound and greatest lower bound of aliasing graphs.

Theorem 48. The preordered set $(\mathcal{G}_\tau, \preceq)$ has

  • a least element $\bot_\tau = \emptyset \mathbin{\star} \emptyset \mathbin{\star} \bot$ where $\bot$ is the always undefined map;

  • a greatest element $\top_\tau = I_\tau \mathbin{\star} E \mathbin{\star} {id}$ where $n_1 \xrightarrow{{\mathord{\mathtt{f}}}} n_2 \in E \iff n_1 = v \in dom(\tau) \wedge n_2= v.{\mathord{\mathtt{f}}} \in Q_\tau$ ;

  • a least upper bound $G_1 \curlyvee G_2$ for each $G_1, G_2 \in \mathcal{G}_\tau$ ;

  • a greatest lower bound $G_1 \curlywedge G_2$ for each $G_1, G_2 \in \mathcal{G}_\tau$ .

4.3 Projection

Several operations may be defined on aliasing graphs. Most of them will be introduced later, since they depend on the concrete semantics of our language. We introduce here only the operation of restriction of a graph to a subset of variables.

Definition 49 (Projection) Given a pre-aliasing graph G and a set of nodes X, we denote by $G|_X$ the tuple $X \mathbin{\star} E' \mathbin{\star} \ell'$ where

\begin{equation*} E' = E \cap (X \times \mathord{\mathit{Ide}} \times X) \qquad \ell'(v) = \begin{cases} \ell(v) & \text{if $\ell(v) \in X$},\\ \bot & \text{otherwise} \end{cases} \end{equation*}

It is immediate to check that $G|_X$ is a pre-aliasing graph. Given a pre-aliasing graph $G = N \mathbin{\star} E \mathbin{\star} \ell$ , a set of nodes $X \subseteq N$ is said to be backward closed when, for each $n \in X$ , if there exists $n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E$ , then $n' \in X$ . Given a set of nodes X, we denote by $\overleftarrow X$ the smallest backward closed set of nodes containing X. Symmetrically, we define forward closed sets and the forward closure operator $\overrightarrow X$ .

It turns out that if X is backward closed, then $G|_X \preceq G$ . Moreover, if G is an aliasing graph, $G|_X$ is too. More precisely, the following hold:

Proposition 50. If $G \in \mathcal{G}_\tau$ and $X \subseteq N$ is backward closed, then $G|_X \in \mathcal{G}_\tau$ . Moreover, for each $n \in X$ , $\tau_{G|_X}(n)= \tau_G(n)$ and $\psi_{G|_X}(n) = \psi_G(n)$ .

Proposition 51. If G is a pre-aliasing graph and $X \subseteq N$ is backward closed, then $G|_X \preceq G$ .

We will come back to this point when we introduce the abstract semantics.

4.4 The domain of aliasing graphs

Given a concrete state $\sigma \in \Sigma_\tau$ , we may abstract it into an aliasing graph which conveys the relevant information.

Definition 52. Given $\sigma = \phi \mathbin{\star} \mu \in \Sigma_\tau$ , we define the abstraction of $\sigma$ as an aliasing graph $\alpha_a(\sigma) = G \in \mathcal{G}_\tau$ where

  • $N =\{ l \in \mathord{\mathit{Loc}} \mid \exists i \in I_\tau. \phi(i)=l \}$ ;

  • for each $v \in dom(\tau)$ , $\ell(v) = \phi(v)$ if $\phi(v) \neq {\mathord{\mathtt{null}}}$ , $\ell(v)=\bot$ otherwise;

  • $l \xrightarrow{{\mathord{\mathtt{f}}}} l' \in E$ iff there exists $v \in dom(\tau)$ such that $\ell(v)=l$ , $v.{\mathord{\mathtt{f}}} \in Q_\tau$ and $l.{\mathord{\mathtt{f}}}=l'$ .

The abstraction of a state $\sigma$ is essentially the representation of the environment and stores as an aliasing graph, limited to the locations reachable from a qualified identifier.

The following proposition shows that the abstraction of a concrete state is an aliasing graph.

Proposition 53. Given $\sigma = \phi \mathbin{\star} \mu \in \Sigma_\tau$ , $G = \alpha_a(\sigma)$ is an aliasing graph and, for each $i \in I_\tau$ , $\ell(i)=\phi(i)$ if $\phi(i) \neq{\mathord{\mathtt{null}}}$ , $\ell(i)=\bot$ otherwise.

We say that $G \in \mathcal{G}_\tau$ is a correct abstraction of $\sigma=\phi \mathbin{\star} \mu \in \Sigma_\tau$ iff $\alpha_a(\sigma) \preceq G$ . Note that if $\alpha_a(\sigma) \preceq G$ and $G.\ell(i)=\bot$ , then $\phi(i) = {\mathord{\mathtt{null}}}$ , hence $\ell$ may actually be used to represent definite nullness. Moreover, if $G.\ell(i_1)=G.\ell(i_2)$ , then either $\phi(i_1)=\phi(i_2) \in \mathord{\mathit{Loc}}$ or $\phi(i_1)=\phi(i_2)={\mathord{\mathtt{null}}}$ . Hence, $\ell$ actually encodes definite weak aliasing between variables.

The following propositions show that each aliasing graph can be viewed as the abstraction of a concrete state.

Proposition 54. Given $G \in \mathcal{G}_\tau$ , there exists $\sigma \in \Sigma_\tau$ s.t. $\alpha_a(\sigma)$ and G are equivalent, that is, $\alpha_a(\sigma) \sim~G$ .

The map $\alpha_a$ of Definition 52 may be lifted to the abstraction map of a Galois insertion from $\mathcal{P}(\Sigma_\tau)$ to $\mathcal{G}_\tau$ given by $\alpha_a(S)= \unicode{x0059}_{\sigma \in S} \alpha_a(\sigma)$ . The abstraction map induces the concretization map $\gamma_a: \mathcal{G}_\tau \rightarrow \mathcal{P}(\Sigma_\tau)$ , which maps aliasing graphs to the set of concrete states they represent. Its explicit definition, below, is straightforward:

\begin{equation*}\gamma_a(G) = \{ \sigma \in \Sigma_\tau \mid \alpha_a(\sigma) \preceq G \} .\end{equation*}

Theorem 55. The preorder $\preceq$ is the same preorder induced by $\gamma_a$ , that is, given $G_1, G_2 \in \mathcal{G}_\tau$ , $G_1\preceq G_2$ iff $\gamma_a(G_1) \subseteq \gamma_a(G_2)$ .

The above theorem may be considered the analogous of injectivity of $\gamma_a$ when the abstract domain is preordered instead of partially ordered. It allows to prove that $\gamma_a(G_1) \subseteq\gamma_a(G_2)$ by just checking $G_1 \preceq G_2$ .

5. $\mathsf{ALPS}$ Graphs

Aliasing graphs are a very concrete representation of the part of the program state which is reachable from variables through a single field access. Pair sharing and linearity, instead, summarize global properties of the state. We want to add possible pair sharing and possible nonlinearity information to an aliasing graph.

Definition 56. (Pre- $\mathsf{ALPS}$ graph) A pre- $\mathsf{ALPS}$ graph $\mathbb{G} = G \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl}$ is an aliasing graph G with a set $\mathit{sh} \subseteq \{ \{n,m\} \mid n,m \in N \}$ and a set $\mathit{nl} \subseteq N$ .

When it is clear from the context, we denote $\mathbb{G}.G, \mathbb{G}.\mathit{sh}, \mathbb{G}.\mathit{nl}$ by $G, \mathit{sh}, \mathit{nl}$ and $\mathbb{G}_i.G, \mathbb{G}_i.\mathit{sh}, \mathbb{G}_i.\mathit{nl}$ by $G_i, \mathit{sh}_i, \mathit{nl}_i$ . Similarly for other variants of $\mathbb{G}$ .

The set $\mathit{sh}$ in a pre- $\mathsf{ALPS}$ graph encodes possible pair sharing, while $\mathit{nl}$ encodes possible nonlinearity. In particular, two identifiers $i, j \in I_\tau$ may share when $\{ \ell(i), \ell(j) \} \in \mathit{sh}$ , while i may be nonlinear when $\ell(i) \in \mathit{nl}$ . This suggests to extend the preorder on aliasing graphs to $\mathsf{ALPS}$ graphs as follows:

Proposition 57. Pre- $\mathsf{ALPS}$ graphs are preordered by the relation $\preceq$ defined as:

\begin{equation*}\begin{split}\mathbb{G}_1 \preceq \mathbb{G}_2 \iff &G_1 \preceq G_2 \text{ and } \forall i \in I_\tau. \ \ell_1(i) \in \mathit{nl}_1 \Rightarrow \ell_2(i) \in \mathit{nl}_2\text{ and }\\&\quad \forall i,j \in I_\tau. \ \{\ell_1(i), \ell_1(j)\} \in \mathit{sh}_1 \Rightarrow \{\ell_2(i), \ell_2(j)\} \in \mathit{sh}_2 \enspace .\end{split}\end{equation*}

Not all the pre- $\mathsf{ALPS}$ graphs make sense, due to the way aliasing, nonlinearity, and sharing interact. In particular, some nonlinearity or sharing information is redundant, since it cannot happen in practice due to the class hierarchy under consideration: pairs $\{n,m\} \in \mathit{sh}$ such that classes $\tau_G(n)$ and $\tau_G(m)$ cannot share, or variables $n \in \mathit{nl}$ such that $\tau_G(n) \notin {NL}$ . This is formalized by the following:

Definition 58 (Graph compatibility) Given an aliasing graph $G \in \mathcal{G}_\tau$ , we say $\{n,m\} \subseteq N$ is G-SH-compatible if $(\tau_G(n) , \tau_G(m)) \in {SH}$ . We say $n \in N$ is G-NL-compatible if $\tau_G(n) \in {NL}$ . Sets $\mathit{sh} \subseteq \mathcal{P}_2(N)$ (and $\mathit{nl} \subseteq N$ ) are G-SH-compatible (G-NL-compatible) if all their elements are G-SH-compatible (G-NL-compatible).

We define a reduction operation which takes pre- $\mathsf{ALPS}$ graph $\mathbb{G}$ and removes spurious sharing and linearity information.

Definition 59. (Reduced pre- $\mathsf{ALPS}$ graphs) Given a pre- $\mathsf{ALPS}$ graph $\mathbb{G}$ , let $\mathit{sh}' \mathbin{\star} \mathit{nl}'$ be the sharing and nonlinearity information contained in $\mathit{sh} \mathbin{\star} \mathit{nl}$ which is G-SH and G-NL, compatible, that is,

\begin{align*} \mathit{sh}' &= \mathit{sh} \cap \{\{ n, m \} \in \mathcal{P}_2(N) \mid \{n,m\} \text{ is \textit{G}-SH-compatible} \} \enspace , \\ \mathit{nl}'&= \mathit{nl} \cap \{ n \mid n \text{ is \textit{G}-NL-compatible} \} \enspace . \end{align*}

We define the reduction of $\mathbb{G}$ to be the pre- $\mathsf{ALPS}$ graph $red(\mathbb{G})=G \mathbin{\star} \mathit{sh}' \mathbin{\star} \mathit{nl}'$ and we say that a pre- $\mathsf{ALPS}$ graph $\mathbb{G}$ is reduced if $red(\mathbb{G})=\mathbb{G}$ .

Moreover, some sharing and nonlinearity information can be derived from other information. For example, if n is a node in G, then $\{n\}$ should be in $\mathit{sh}$ , otherwise any identifier i s.t. $\ell(i)=n$ is forced to be ${\mathord{\mathtt{null}}}$ and G could be simplified by removing the node n.

Definition 60. (Closed pre- $\mathsf{ALPS}$ graphs) We define a pre- $\mathsf{ALPS}$ graph $\mathbb{G}=G \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl}$ closed when it satisfies all the following properties:

  1. (1). $n \in N \Rightarrow \{n\} \in \mathit{sh}$ ;

  2. (2). there is a loop in G involving n $\Rightarrow n \in \mathit{nl}$ ;

  3. (3). $\{ n,m \} \in \mathit{sh} \wedge n' \xrightarrow{{\mathord{\mathtt{f}}}} n \Rightarrow \{ n', m \} \in \mathit{sh}$ ;

  4. (4). $n \xrightarrow{{\mathord{\mathtt{f}}}_1} m_1$ , $n \xrightarrow{{\mathord{\mathtt{f}}}_2} m_2$ , ${\mathord{\mathtt{f}}}_1 \neq {\mathord{\mathtt{f}}}_2$ , $\{m_1, m_2 \} \in \mathit{sh} \Rightarrow n \in \mathit{nl}$ ;

  5. (5). $n \in \mathit{nl} \wedge n' \xrightarrow{{\mathord{\mathtt{f}}}} n \Rightarrow n' \in \mathit{nl}$ .

Point (1) is standard in sharing domains since each non-null variable shares with itself. Point (2) expresses the fact that any variable in a loop cannot be linear. Point (5) means that $\mathit{nl}$ is backward closed, while Point (3) is obvious generalization of backward closure to sharing pairs. Finally, Point (4) formalizes the fact that if two different fields of an object o share, then o is not linear.

Example 61 (Pre- $\mathsf{ALPS}$ graphs with loops) Consider the concrete state in Figure 16A. Locations $l_0$ and $l_1$ are nonlinear, since $l_0.{\mathord{\mathtt{r}}}.{\mathord{\mathtt{r}}}=l_0$ and $l_1.{\mathord{\mathtt{r}}}.{\mathord{\mathtt{r}}}=l_1$ . This state is correctly abstracted by the pre- $\mathsf{ALPS}$ graph $\mathbb{G}$ in Figure 16B, where nodes a and b are marked as nonlinear. On the contrary, the same concrete state is not correctly approximated by the pre- $\mathsf{ALPS}$ graph $\mathbb{G}'$ in Figure 16C, since the latter does not allow for the nonlinearity of a and b. Actually, the only concrete states which are correctly abstracted by $\mathbb{G}'$ are the ones where both a and b are null, since every other situation would violate either the aliasing constraints ( $a.{\mathord{\mathtt{r}}} = b$ and $b.{\mathord{\mathtt{r}}} =a$ ) or the linearity constraint. The Pre- $\mathsf{ALPS}$ graph $\mathbb{G}$ is closed according to Definition 60, while $\mathbb{G}'$ is not and it is essentially not used, since it may be replaced by the empty pre- $\mathsf{ALPS}$ graph.

Figure 16. Two pre- $\mathsf{ALPS}$ graphs with a loop and a concrete state which is in the concretization of the Pre- $\mathsf{ALPS}$ graphs $\mathbb{G}$ in Figure 16B.

We want to restrict our attention only to those pre- $\mathsf{ALPS}$ graphs which do not contain any spurious information and where all sharing and nonlinearity information is explicit.

Definition 62 ( $\mathsf{ALPS}$ graph) An $\mathsf{ALPS}$ graph $\mathbb{G}$ is a pre- $\mathsf{ALPS}$ graph which is reduced and closed. We denote by $\mathsf{ALPS}_\tau$ the set of $\mathsf{ALPS}$ graphs over the type environment $\tau$ .

5.1 Projection

Analogously to aliasing graphs, we define a projection operator for $\mathsf{ALPS}$ graphs.

Definition 63 (Projection of pre- $\mathsf{ALPS}$ graphs) Given a pre- $\mathsf{ALPS}$ graph $\mathbb{G}$ and $X \subseteq N$ backward closed, we denote by $\mathbb{G}|_X$ the pre- $\mathsf{ALPS}$ graph $G|_X \mathbin{\star} \mathit{sh}' \mathbin{\star} \mathit{nl}'$ where

\begin{equation*} \mathit{sh}' = \mathit{sh} \cap \mathcal{P}_2(X) \qquad \mathit{nl}' = \mathit{nl} \cap X \enspace . \end{equation*}

In the definition above, the hypothesis that X is backward closed is needed in order to ensure that $G|_X$ is an aliasing graph and not just a pre-aliasing graph. It is immediate to check that projection maps $\mathsf{ALPS}$ graphs to $\mathsf{ALPS}$ graphs. More specifically:

Proposition 64. If $\mathbb{G} \in \mathsf{ALPS}_\tau$ and $X \subseteq N$ is backward closed, then $\mathbb{G}|_X \in \mathsf{ALPS}_\tau$ .

Moreover, the following holds:

Proposition 65. If $\mathbb{G}$ is a pre- $\mathsf{ALPS}$ graph and $X \subseteq N$ is backward closed, then $\mathbb{G}|_X \preceq \mathbb{G}$ .

5.2 Up- and down-closures of pre- $\mathsf{ALPS}$ graphs

Given a pre- $\mathsf{ALPS}$ graph $\mathbb{G}$ , the up-closure of $\mathbb{G}$ is a new pre- $\mathsf{ALPS}$ graph, obtained by adding derived sharing and nonlinearity information to the $\mathit{sh}$ and $\mathit{nl}$ components. Moreover, if $\mathbb{G}$ is reduced (i.e., it does not contain spurious sharing and nonlinearity elements which are not G-SH-compatible and G-NL-compatible, respectively), then the up-closure of $\mathbb{G}$ is an $\mathsf{ALPS}$ graph.

Definition 66. (Up-closure of pre- $\mathsf{ALPS}$ graphs) Given a pre- $\mathsf{ALPS}$ graph $\mathbb{G}= G \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl}$ , we define the up-closure of $\mathbb{G}$ as the pre- $\mathsf{ALPS}$ graph $cl^{\uparrow}(\mathbb{G}) = G \mathbin{\star} \mathit{sh}' \mathbin{\star} \mathit{nl}'$ such that $\mathit{sh}' \mathbin{\star} \mathit{nl}'$ is the smallest pair, under the component-wise ordering, which contains $\mathit{sh} \mathbin{\star} \mathit{nl}$ and $G \mathbin{\star} \mathit{sh}' \mathbin{\star} \mathit{nl}'$ is closed.

It is immediate to see that the up-closure of a pre- $\mathsf{ALPS}$ graph $\mathbb{G}$ always exists and can be simply computed starting from $\mathit{sh} \mathbin{\star} \mathit{nl}$ and adding new elements according to the five properties in Definition 60. Note that the graph G does not change when computing the up-closure.

Symmetrically, we can define the down-closure as follows.

Definition 67. (Down-closure of pre- $\mathsf{ALPS}$ graphs) Given a pre- $\mathsf{ALPS}$ graph $\mathbb{G}$ , we define the down-closure of $\mathbb{G}$ as the pre- $\mathsf{ALPS}$ graph $cl^{\downarrow}(\mathbb{G})$ such that $cl^{\downarrow}(\mathbb{G})$ is the greatest pre- $\mathsf{ALPS}$ graph smaller than or equal to $\mathbb{G}$ and such that $cl^{\downarrow}(\mathbb{G})$ is closed.

Note that, differently from the up-closure, when computing the down-closure the graph G can possibly change, since some nodes could be removed. The next proposition shows how to compute the down-closure.

Theorem 68. Given a pre- $\mathsf{ALPS}$ graph $\mathbb{G}= G \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl}$ , the down-closure $cl^{\downarrow}(\mathbb{G})$ can be computed as follows. Let $\mathit{sh}^* \mathbin{\star} \mathit{nl}^*$ be the greatest pair, under the component-wise ordering, such that

  1. (1). $\mathit{nl}^*= \mathit{nl} \setminus \{n \mid m \not\in \mathit{nl}^* \wedge m \xrightarrow{{\mathord{\mathtt{f}}}} n \in E\}$ ;

  2. (2). $\mathit{sh}^* = \mathit{sh} \setminus \{ \{m_1, m_2 \} \mid n \not\in \mathit{nl}^*, n \xrightarrow{{\mathord{\mathtt{f}}}_1} m_1 \in E, n \xrightarrow{{\mathord{\mathtt{f}}}_2} m_2 \in E, {\mathord{\mathtt{f}}}_1 \neq {\mathord{\mathtt{f}}}_2\} \setminus \{\{ n, m \} \mid \{ n',m \} \not\in \mathit{sh}^* \wedge n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E \}$ .

Then, we have that

\begin{equation*}cl^{\downarrow}(\mathbb{G}) = (G \mathbin{\star} \mathit{sh}^* \mathbin{\star} \mathit{nl}^*)|_{N\setminus \overrightarrow X}\end{equation*}

where $X=\{n \mid n\not\in \mathit{nl}^*$ , there is a loop in G such that $n \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} n \in E\} \cup \{n \mid \{n\} \not\in \mathit{sh}^*\}$ . Moreover, if $\mathbb{G}$ is closed w.r.t. red, then $cl^{\downarrow}(\mathbb{G})$ is an $\mathsf{ALPS}$ graph.

The down-closure shows the interaction between the three components of aliasing (which is encoded in the graph structure), sharing, and nonlinearity. It precisely describes how linearity and sharing information propagate to the other components.

The first point states that whenever a node m is linear, then all its children are linear too. The second point explains the interaction between sharing and linearity: when a node n is linear, then its children cannot share. Moreover, when a node n’ does not share with a node m, the same holds for the children of n’. Note that, whenever in a loop of the graph a node is linear, then all the nodes in the loop and all their children must be null. This is reflected in the projection on $N \setminus \overrightarrow X$ .

Example 69. Figure 17 shows the aliasing graph G and the $\mathsf{ALPS}$ graph $\mathbb{G} = G \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl}$ where

\begin{equation*} \mathit{sh}=\{ \{a b\}, \{c\}, \{a.{\mathord{\mathtt{r}}}\,c.{\mathord{\mathtt{l}}}\}, \{c.{\mathord{\mathtt{r}}}\}, \{a b, a.{\mathord{\mathtt{r}}}\,c.{\mathord{\mathtt{l}}} \}, \{c, a.{\mathord{\mathtt{r}}}\,c.{\mathord{\mathtt{l}}} \}, \{c, c.{\mathord{\mathtt{r}}} \}, \{ab, c\} \} \end{equation*}
\begin{equation*} \mathit{nl}=\{ c, c.{\mathord{\mathtt{r}}} \} \end{equation*}

In Figure 17B, nonlinearity is represented with a double circle, while sharing information is represented as follows:

Figure 17. Example of an $\mathsf{ALPS}$ graph.

  • the sharing information of the singletons $\{a b\}, \{c\}, \{a.{\mathord{\mathtt{r}}}\,c.{\mathord{\mathtt{l}}}\}, \{c.{\mathord{\mathtt{r}}}\}$ can be deduced from the existence of the nodes in the aliasing graph;

  • the sharing information of a node with its field, for example, $\{c, c.{\mathord{\mathtt{r}}} \}$ , can be deduced from the corresponding edge in the aliasing graph $c \xrightarrow{{\mathord{\mathtt{r}}}} c.r$ ;

  • additional sharing information is represented with a dotted line, for example, between the nodes a b and c.

5.3 The lattice of $\mathsf{ALPS}$ graphs

In order to define an abstract domain of $\mathsf{ALPS}$ graphs, we start by defining the least upper bound $\mathbb{G}_1 \curlyvee \mathbb{G}_2$ and greatest lower bound $\mathbb{G}_1 \curlywedge \mathbb{G}_2$ of $\mathsf{ALPS}$ graphs.

We use morphisms when we need to combine sharing and nonlinearity information coming from different graphs with different sets of nodes.

Definition 70. Let $\mathbb{G}_1$ and $\mathbb{G}_2$ be $\mathsf{ALPS}$ graphs. We define $\mathbb{G}= \mathbb{G}_1 \curlyvee \mathbb{G}_2$ as:

  • $G=G_1 \curlyvee G_2$ , with morphisms $h_1: G \rightarrow G_1$ and $h_2: G \rightarrow G_2$ ;

  • $\mathit{sh}= h_1^{-1}(\mathit{sh}_1) \cup h_2^{-1}(\mathit{sh}_2)$ and

  • $\mathit{nl} =h_1^{-1}(\mathit{nl}_1) \cup h_2^{-1}(\mathit{nl}_2)$ .

Example 71. Consider the $\mathsf{ALPS}$ graphs in Figure 18A and B. For ease of notation, we assume a node to be denoted by its label. The morphisms $h_1: G_1 \curlyvee G_2 \rightarrow G_1$ and $h_2: G_1 \curlyvee G_2 \rightarrow G_2$ are defined as follows:

\begin{equation*}h_1=[a \mapsto a b, b \mapsto a b, a.{\mathord{\mathtt{l}}} \mapsto a.{\mathord{\mathtt{l}}} ]\end{equation*}
\begin{equation*}h_2=[a \mapsto a, b \mapsto b, a.{\mathord{\mathtt{r}}} \mapsto a.{\mathord{\mathtt{r}}} ]\end{equation*}

We have that:

Figure 18. Least upper bound of $\mathsf{ALPS}$ graphs.

Definition 72. Let $\mathbb{G}_1$ and $\mathbb{G}_2$ be $\mathsf{ALPS}$ graphs. We define $\mathbb{G} = \mathbb{G}_1 \curlywedge \mathbb{G}_2$ as $\mathbb{G}=cl^{\downarrow}(\mathbb{G}')$ , where

  • $G' = G_1 \curlywedge G_2$ with morphisms $h_1:G_1 \rightarrow G$ and $h_2: G_2 \rightarrow G$ ;

  • $\mathit{sh}' = \{ \{n,m\} \in \mathcal{P}_2(N) \mid \forall k \in \{1,2\}\ h_k^{-1}(\{\{n,m\}\}) \subseteq \mathit{sh}_k \}$ ;

  • $\mathit{nl}' = \{ n \in N \mid \forall k \in \{1,2\}\ h_k^{-1}(n) \subseteq\mathit{nl}_k \}$ ;

Example 73. Consider the $\mathsf{ALPS}$ graphs in Figure 19A and B. For ease of notation, we assume a node to be denoted by its label. The morphisms $h_1: G_1 \rightarrow G_1 \curlywedge G_2 $ and $h_2: G_2 \rightarrow G_1 \curlywedge G_2 $ are defined as follows:

\begin{align*}h_1 & =[ ab \mapsto a b, b.{\mathord{\mathtt{r}}} \mapsto b.{\mathord{\mathtt{r}}}]\\ h_2 & =[a \mapsto a b, b \mapsto a b, b.{\mathord{\mathtt{r}}} \mapsto b.{\mathord{\mathtt{r}}} ]\end{align*}

We have that:

Figure 19. Greatest lower bound of $\mathsf{ALPS}$ graphs.

Theorem 74. The preordered set of $\mathsf{ALPS}$ graphs has

  • a least element $\bot_\tau \mathbin{\star} \emptyset \mathbin{\star} \emptyset$ ;

  • a greatest element $\top_\tau \,\mathbin{\star} \,\mathit{sh} \,\mathbin{\star} \, \mathit{nl}$ , where

  • $\mathit{sh} = \{\{ n, m \} \in \mathcal{P}_2(I_\tau) \mid (\tau(n),\tau(m)) \in {SH}\}$ and

  • $\mathit{nl} = \{ n \in I_\tau \mid \tau(n) \in {NL}\}$ ;

  • a least upper bound $\mathbb{G}_1 \curlyvee \mathbb{G}_2$ for each pair $\mathbb{G}_1$ and $\mathbb{G}_2$ of $\mathsf{ALPS}$ graphs;

  • a greatest lower bound $\mathbb{G}_1 \curlywedge \mathbb{G}_2$ for each pair $\mathbb{G}_1$ and $\mathbb{G}_2$ of $\mathsf{ALPS}$ graphs.

With an abuse of language, we denote the top and bottom of $\mathsf{ALPS}$ graphs for the domain environment $\tau$ with $\top_{\tau}$ and $\bot_\tau$ , which are the same symbols used for aliasing graphs. We omit the index $\tau$ when it is clear from or not relevant in the context.

5.4 The domain of $\mathsf{ALPS}$ graphs

Given a concrete state $\sigma \in \Sigma_\tau$ , we may abstract it into an aliasing graph which conveys the relevant information.

Definition 75 (Abstraction map on $\mathsf{ALPS}$ graph) Given $\sigma \in \Sigma_\tau$ , we define the abstraction $\alpha: \Sigma_\tau \rightarrow \mathsf{ALPS}$ as $\alpha(\sigma)= \alpha_a(\sigma) \mathbin{\star} \mathit{sh} \mathbin{\star}\mathit{nl}$ where

\begin{align*}\mathit{sh} &= \{ \{l_1, l_2\} \subseteq N \mid l_1 \text{ and } l_2 \text{ share in } \sigma \} \enspace ,\\\mathit{nl} &= \{ l \in N \mid l \text { is not linear in } \sigma \} \enspace .\end{align*}

We say $\mathbb{G}$ is a correct abstraction of $\sigma$ when $\alpha(\sigma) \preceq \mathbb{G}$ .

The abstraction of a state $\sigma$ is essentially the representation of the environment and stores as an $\mathsf{ALPS}$ graph, limited to the locations reachable from a qualified identifier.

Given $\sigma \in \Sigma_\tau$ and $\alpha(\sigma) \preceq \mathbb{G}$ , if $i_1, i_2 \in I_\tau$ share in $\sigma$ , then $\{\mathbb{G}.\ell(i_1), \mathbb{G}.\ell(i_2)\} \in \mathbb{G}.\mathit{sh}$ . Moreover, if $i \in I_\tau$ is nonlinear in $\sigma$ , then $\mathbb{G}.\ell(i) \in \mathbb{G}.\mathit{nl}$ . Hence, $\mathbb{G}$ actually encodes possible sharing and nonlinearity among variables and fields.

We may define a concretization map $\gamma: \mathsf{ALPS}_\tau \rightarrow \mathcal{P}(\Sigma_\tau)$ which maps $\mathsf{ALPS}$ graphs to the set of concrete states they represent as $\gamma(\mathbb{G}) = \{ \sigma \in \Sigma_\tau \mid \alpha(\sigma) \preceq \mathbb{G} \}$ . If we lift the map $\alpha$ in Definition 75 to an additive map $\alpha: \mathcal{P}(\Sigma_\tau) \rightarrow \mathsf{ALPS}_\tau$ as $\alpha(S)= \unicode{x0059}_{\sigma \in S} \alpha(\sigma)$ , then $\alpha$ and $\gamma$ form a Galois connection.

Proposition 76. (Concretization of $\mathsf{ALPS}$ graphs) The concretization map induced by the abstraction map $\alpha$ satisfies the following property:

\begin{equation*}\begin{split}\gamma(\mathbb{G}) = \big\{ \sigma \in \Sigma_\tau \mid\& \sigma \in\gamma_a(G), \\& \forall i \in I_\tau.\ i \text{ nonlinear in } \sigma \Rightarrow \ell(i) \in \mathit{nl},\\& \forall i,i' \in I_\tau.\ i \text{ share with } i' \text{ in } \sigma\Rightarrow \{ \ell(i), \ell(i')\} \in \mathit{sh} \big\} \enspace .\end{split}\end{equation*}

Note that $\mathsf{ALPS}$ -graphs do not form a Galois insertion with concrete states, as shown in the following example.

Example 77 ( $\mathsf{ALPS}$ -graphs do not form a Galois insertion) Consider the following set of classes:

class A { C f; } class B { C g; } class C { }

Since all classes may share among them, we have $SH=\{ (\kappa, \kappa') \mid \kappa, \kappa' \in \{A, B, C\} \}$ . Let $\tau$ be the type environment $\tau=\{ x \mapsto A, y \mapsto B \}$ and consider the $\mathsf{ALPS}$ -graph $\mathbb{G}$ given by:

It turns out that there is no set of states S such that $\alpha(S)=\mathbb{G}$ . This is because, due to the set of classes we have available, x and y may only share through the class C, that is, through the fields ${\mathord{\mathtt{f}}}$ and ${\mathord{\mathtt{g}}}$ . But according to $\mathbb{G}$ , ${\mathord{\mathtt{f}}}$ and ${\mathord{\mathtt{g}}}$ should be ${\mathord{\mathtt{null}}}$ , making sharing impossible. Therefore, $\alpha$ is not surjective and $\langle \alpha, \gamma \rangle$ is a Galois connection but not a Galois insertion.

Obtaining a Galois insertion would require the addition of new closure conditions on $\mathsf{ALPS}$ graphs. This is possible, but would make the definitions more cumbersome, and we have decided not to follow this line. While Galois insertions are more theoretical appealing since they do not contain redundant abstract elements, precise and efficient analysis can be obtained even without them. In the literature of numerical abstract domains (Cousot and Cousot Reference Cousot and Cousot1976; Amato and Scozzari Reference Amato and Scozzari2012) there are many examples of analysis which do not form a Galois insertion and not even a Galois connection, such as the polyhedral analysis of imperative programs (Cousot and Halbwachs Reference Cousot and Halbwachs1978) and the parallelotope abstract domain (Amato et al. Reference Amato, Rubino and Scozzari2017), which nonetheless enjoy interesting completeness properties (Amato and Scozzari Reference Amato and Scozzari2011)

In the next section, we will define the necessary operations on the domain of $\mathsf{ALPS}$ graphs in order to define an abstract semantics for sharing analysis. Note that, since the abstract domain is finite, we do not need a widening operator to ensure the termination of the analysis.

6. An Abstract Semantics on $\mathsf{ALPS}$

We present the abstract semantics on the domain $\mathsf{ALPS}_\tau$ . We provide a correct abstract counterpart for each concrete operator in the standard semantics. The abstract counterpart of an interpretation is an $\mathsf{ALPS}$ interpretation, defined as follows.

Definition 78. An $\mathsf{ALPS}$ interpretation I maps methods to total functions such that $I({\kappa.{\mathord{\mathtt{m}}}}):\mathsf{ALPS}_{\mathit{input}(\kappa.{\mathord{\mathtt{m}}})}\to \mathsf{ALPS}_{\mathit{output}(\kappa.{\mathord{\mathtt{m}}})}$ for each method $\kappa.{\mathord{\mathtt{m}}}$ .

6.1 Auxiliary operators

First of all, we introduce some auxiliary operators which will be used later in the abstract semantics for commands and expressions.

6.1.1 Pruning

Given a triple $\mathbb{G} = G \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl}$ (not necessarily an $\mathsf{ALPS}$ graph), the operation $\textsf{prune}$ removes extraneous nodes and adds inferred information:

\begin{equation*}\textsf{prune}(\mathbb{G})=cl^{\uparrow}(\mathbb{G}|_{N'})\end{equation*}

where $N' = \{\ell(w)\mid w\in dom(\tau)\} \cup \{n\mid w\in dom(\tau),\ell(w) \xrightarrow{{\mathord{\mathtt{f}}}} n\in E, {\mathord{\mathtt{f}}} \in dom(\tau(w)) \}$ .

6.1.2 Restriction

Consider the operation on concrete states which, given $S \subseteq \Sigma_\tau$ and a set of variables $V \subseteq dom(\tau)$ , returns the set of states in S restricted to the variables in V, that is,

\begin{equation*}S_{\Vert V} = \{\phi|_{V} \mathbin{\star} \mu \mid \phi \mathbin{\star} \mu \in S \} \subseteq\Sigma_{\tau|_{V}}\enspace .\end{equation*}

Starting from a correct abstraction $\mathbb{G} \in\mathsf{ALPS}_\tau$ of the set of states S, we would like to define a new abstraction $\mathbb{G}' \in \mathsf{ALPS}_{\tau|_{V}}$ which correctly approximates $S_{\Vert V}$ .

Definition 79 (Abstract restriction) Given $\mathbb{G} \in \mathsf{ALPS}_\tau$ and $V \subseteq dom(\tau)$ , we define $\mathbb{G}_{\Vert V} = \textsf{prune}( N \mathbin{\star} E \mathbin{\star} \ell |_{V} \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl})\enspace .$

Let $W=V \cup \{v.{\mathord{\mathtt{f}}} \in Q_\tau \mid v \in V\}$ and let $\mathbb{G}_{\Vert V}= N' \mathbin{\star} E' \mathbin{\star} \ell' \mathbin{\star} \mathit{sh}' \mathbin{\star} \mathit{nl}'$ . Since $\ell'$ is obtained by restricting $\ell$ to the variables in V, we have that for any $x \in dom(\tau) \setminus V$ , $\ell'(x)=\ell| _{V} (x)=\bot$ . Then for each $n' \in N'$ , ${\ell'}^{-1} (n) \subseteq W$ and all the nodes in $\mathbb{G}$ which are not the image of a qualified identifier in W are removed from the graph. By construction and since $\mathbb{G} \in \mathsf{ALPS}_\tau$ , we have that N’ is backward closed and $\mathbb{G}_{\Vert V} \in \mathsf{ALPS}_{\tau|_{V}}$ .

Proposition 80. For each $\mathbb{G} \in \mathsf{ALPS}_\tau$ and $V\subseteq dom(\tau)$ , $\gamma(\mathbb{G})_{\Vert V} \subseteq \gamma(\mathbb{G}_{\Vert V})$ .

6.1.3 Nullness propagation

Consider the operation on concrete states which, given $S \subseteq \Sigma_\tau$ and an identifier $i \in I_\tau$ , returns the subset of those states in S where i is ${\mathord{\mathtt{null}}}$ , that is,

\begin{equation*}S_{|i={\mathord{\mathtt{null}}}} = \{ \sigma = \phi \mathbin{\star} \mu \in S \mid \phi(i) = {\mathord{\mathtt{null}}} \} \enspace .\end{equation*}

If $\mathbb{G}$ is a correct abstraction of S, it is also a correct abstraction of $S_{|i={\mathord{\mathtt{null}}}}$ , but we would like to refine $\mathbb{G}$ into a more precise abstract state which still correctly approximates $S_{|i={\mathord{\mathtt{null}}}}$ . This suggests the following definition.

Definition 81 (Abstract nullness propagation) Given $\mathbb{G} \in \mathsf{ALPS}_\tau$ and an identifier $i \in I_\tau$ , we define $\mathbb{G}_{|i={\mathord{\mathtt{null}}}} = \mathbb{G}|_{N_v}$ where $N_v = N \setminus \overrightarrow{\{\ell(i)\}}$ .

In $\mathbb{G}_{|i={\mathord{\mathtt{null}}}}$ , since the identifier i is forced to be ${\mathord{\mathtt{null}}}$ , all the nodes reachable from i need to be removed from the graph since they do not really exist. Given that $N \setminus \overrightarrow{\{\ell(i)\}}$ is backward closed, we know from Propositions 64 and 65 that $\mathbb{G}_{|i={\mathord{\mathtt{null}}}}$ is an $\mathsf{ALPS}$ graph and $\mathbb{G}_{|i={\mathord{\mathtt{null}}}} \preceq \mathbb{G}$ .

Nullness propagation is a special case of greatest lower bound between $\mathsf{ALPS}$ graphs, as proved in the following:

Proposition 82. For each $\mathbb{G} \in \mathsf{ALPS}_\tau$ and $i \in I_\tau$ , $\mathbb{G}_{|i={\mathord{\mathtt{null}}}} = \mathbb{G} \curlywedge \top_{|i={\mathord{\mathtt{null}}}}$ .

In turn, this allows us to prove that:

Proposition 83. For each $\mathbb{G} \in \mathsf{ALPS}_\tau$ and $i \in I_\tau$ , $\gamma(\mathbb{G})_{|i={\mathord{\mathtt{null}}}} \subseteq \gamma(\mathbb{G}_{|i={\mathord{\mathtt{null}}}})$ .

In the rest of the paper, given $i, j \in I_\tau$ , we use $\mathbb{G}_{|i={\mathord{\mathtt{null}}}, j={\mathord{\mathtt{null}}}}$ as a short form for $(\mathbb{G}_{|i={\mathord{\mathtt{null}}}})_{|j={\mathord{\mathtt{null}}}}$ .

6.1.4 Restriction to aliasing

Consider the operation on concrete states which, given $S \subseteq \Sigma_\tau$ and two variables v, w, returns the subset of those states in S where v is weakly aliased with w, that is,

\begin{equation*}S_{|v=w} = \{ \sigma = \phi \mathbin{\star} \mu \in S \mid \phi(v) = \phi(w) \} \enspace .\end{equation*}

Similarly to what we have done in the previous section, we aim to determine a correct approximation of $S_{|v=w}$ . Given $\mathbb{G} \in \mathsf{ALPS}_\tau$ , we define

\begin{equation*} \begin{array}{ll}\mathbb{G}_{|v=w} = &\mathbb{G} \curlywedge \top_{v=w}\end{array}\end{equation*}

where

\begin{equation*}\top_{v=w} = \begin{cases}\textsf{prune}(\top.N \mathbin{\star} \top.E \mathbin{\star} \top.\ell[w \mapsto v] \mathbin{\star} \top.\mathit{sh} \mathbin{\star} \top.\mathit{nl}) &\text{if $\tau(v)\leq \tau(w)$;}\\\textsf{prune}(\top.N \mathbin{\star} \top.E \mathbin{\star} \top.\ell[v \mapsto w] \mathbin{\star} \top.\mathit{sh} \mathbin{\star} \top.\mathit{nl})&\text{if $\tau(w) < \tau(v)$;}\\\top_{|v={\mathord{\mathtt{null}}}, w={\mathord{\mathtt{null}}}} & \text{otherwise.}\end{cases}\end{equation*}

Proposition 84. For each $\mathbb{G} \in \mathsf{ALPS}_\tau$ and $v, w \in dom(\tau)$ , $\gamma(\mathbb{G})_{|v=w} \subseteq \gamma(\mathbb{G}_{|v=w})$ .

In the rest of the paper, we will use $\mathbb{G}_{|v_1=w_1,\ldots,w_n=w_n}$ as a shorthand for $((\mathbb{G}_{|v_1=w_1})\ldots)_{|v_n=w_n}$ .

6.2 Abstract semantics for expressions

The abstract semantics specifies how each expression $\mathit{exp}$ transforms input abstract states $\mathbb{G} = N \mathbin{\star} E \mathbin{\star} \ell \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl}$ into final abstract states $\mathbb{G}' = N' \mathbin{\star} E' \mathbin{\star} \ell' \mathbin{\star} \mathit{sh}' \mathbin{\star}\mathit{nl}'$ where ${\mathord{\mathtt{res}}}$ holds the $\mathit{exp}$ ’s value. Abstract semantics for expressions (and later commands) is given compositionally on their syntax.

Definition 85. Let $\tau$ describe the variables in scope and I be an $\mathsf{ALPS}$ interpretation. Figure 20 defines the $\mathsf{ALPS}$ semantics for expression (except method calls) $\mathcal{S\!E}_{{\tau}}^{I}\unicode{x0301A}{\mathit{exp}}\unicode{x0301B}:\mathsf{ALPS}_\tau\to\mathsf{ALPS}_{\tau+\mathit{exp}}$ .

Figure 20. The $\mathsf{ALPS}$ interpretation for expressions.

We briefly explain the behavior of the abstract semantic operators with respect to the corresponding concrete ones. The concrete semantics of ${\mathord{\mathtt{null}}}\ \kappa$ stores ${\mathord{\mathtt{null}}}$ in the variable ${\mathord{\mathtt{res}}}$ . Therefore, in the abstract semantics, we only need to add the new variable ${\mathord{\mathtt{res}}}$ into the type environment, without modifying the abstract state.

The concrete semantics of $\mathtt{new} \ \kappa$ stores in ${\mathord{\mathtt{res}}}$ a reference to a new object o, whose fields are ${\mathord{\mathtt{null}}}$ . The other variables do not change. Since o is only reachable from ${\mathord{\mathtt{res}}}$ , variable ${\mathord{\mathtt{res}}}$ shares with itself only and is clearly linear. Therefore, we only need to add a new node labeled with ${\mathord{\mathtt{res}}}$ and the corresponding sharing singleton, without affecting nonlinearity information.

The concrete semantics of v simply makes ${\mathord{\mathtt{res}}}$ an alias for v. Since the types of v and ${\mathord{\mathtt{res}}}$ coincide, we only need to add the variable v to the same node of ${\mathord{\mathtt{res}}}$ . The other variables are unchanged.

When $v={\mathord{\mathtt{null}}}$ , then $\mathtt{(}\kappa\mathtt{)}v$ behaves like ${\mathord{\mathtt{null}}}\ \kappa$ . If $\kappa$ and the type of v are not compatible, then $\mathtt{(}\kappa\mathtt{)}v$ only returns a nonfailed state when $v={\mathord{\mathtt{null}}}$ . Therefore, in the abstract semantics, $\mathtt{(}\kappa\mathtt{)}v$ restricts the input graph $\mathbb{G}$ to those states where $v={\mathord{\mathtt{null}}}$ . In the other cases, the cast $\mathtt{(}\kappa\mathtt{)}v$ stores in ${\mathord{\mathtt{res}}}$ the value of v. We use an auxiliary operator $add(\mathbb{G},n,\kappa)$ , explained in the following section, which adds the label ${\mathord{\mathtt{res}}}$ to the node n, and possibly adds new nodes for the fields of ${\mathord{\mathtt{res}}}$ which are not fields of $\psi_G(n)$ . In this case, we can exploit the notion of linearity. In fact, when v is linear, we know that fields of ${\mathord{\mathtt{res}}}$ cannot share with each other and are linear.

The concrete semantics of $v.{\mathord{\mathtt{f}}}$ stores in ${\mathord{\mathtt{res}}}$ the value of the field ${\mathord{\mathtt{f}}}$ of v, provided v is not ${\mathord{\mathtt{null}}}$ . When $v.{\mathord{\mathtt{f}}}$ is not ${\mathord{\mathtt{null}}}$ , this essentially amounts to the same procedure of the previous case.

6.2.1 Assignment to a node

The auxiliary operator $add(\mathbb{G}, n, \kappa)$ adds a new variable ${\mathord{\mathtt{res}}}$ of type $\kappa$ as an alias of the node $n \in N$ . The operator also adds children of ${\mathord{\mathtt{res}}}$ when needed to have an $\mathsf{ALPS}$ graph.

\begin{equation*}add(\mathbb{G},n,\kappa) = \begin{cases} \bot & \text{if$\{\tau_G(n), \kappa\}$ is not a chain}\\cl^{\uparrow}(\mathbb{G}')& \text{otherwise}\end{cases}\end{equation*}

Given $\mathbb{G} = G \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl}$ , in order to define $\mathbb{G}'$ , let $\kappa' = \psi_{G} (n)$ be the inferred type for node n in $\mathbb{G}$ (from variables only) and $F' = dom (\kappa)\setminus dom (\kappa') = \{{\mathord{\mathtt{f}}}_1,\ldots,{\mathord{\mathtt{f}}}_m \}$ be the set of the new fields in class $\kappa$ which are not currently considered in $\mathbb{G}$ ; let also $\{n_{{\mathord{\mathtt{f}}}_1},\ldots, n_{{\mathord{\mathtt{f}}}_m} \}$ be a set of fresh nodes, that is, such that $\{n_{{\mathord{\mathtt{f}}}_1},\ldots, n_{{\mathord{\mathtt{f}}}_m} \} \cap N=\emptyset$ ; then:

Definition of G’ is straightforward: we just add the new nodes as children of node n, each one pointed through the corresponding field in F’. If n is nonlinear, then all new nodes are nonlinear, all new nodes share among them and with other nodes n’ sharing with n. This procedure might add spurious sharing or nonlinearity information: we solve this problem by filtering with SH and NL.

When n is linear, then all new nodes are linear, do not share among them, and do not share with any node n’ reachable from n through a nonempty sequence of fields $ {\mathord{\mathtt{f}}}'_1, \ldots, {\mathord{\mathtt{f}}}'_k$ in E, but share with all the other nodes sharing with n.

6.3 Abstract semantics for commands

In the concrete semantics, each command $\mathit{com}$ transforms an initial state into a final state. On the abstract domain, it transforms an initial $\mathsf{ALPS}$ graph $G \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl}$ into an $\mathsf{ALPS}$ graph $G' \mathbin{\star} \mathit{sh}'\mathbin{\star} \mathit{nl}'$ .

Definition 86. Let $\tau$ describe the variables in scope and I be an $\mathsf{ALPS}$ interpretation. Figures 2123 show the $\mathsf{ALPS}$ semantics for commands $\mathcal{SC}_{{\tau}}^{{I}}\unicode{x0301A}{{\mathit{com}}}\unicode{x0301B}: \mathsf{ALPS}_\tau \to \mathsf{ALPS}_\tau$ .

Figure 21. The $\mathsf{ALPS}$ interpretation for simple commands.

Figure 22. The $\mathsf{ALPS}$ interpretation for assignment to field.

Figure 23. The $\mathsf{ALPS}$ interpretation for method calls. The auxiliary function $match_{v.{\mathord{\mathtt{m}}}}$ is defined later in Figure 24.

The concrete semantics of $v\mathbin{\mathtt{\unicode{x02254}}}\mathit{exp}$ evaluates $\mathit{exp}$ and stores its result into v. Thus, the final abstract state is obtained by first computing $\mathcal{S\!E}_{\tau}^{I}\unicode{x0301A}{\mathit{exp}}\unicode{x0301B}$ and then renaming ${\mathord{\mathtt{res}}}$ into v. Some of the nodes may become unlabeled and must be removed. This is accomplished by the auxiliary operation $\textsf{prune}$ which removes unnecessary information, in particular unlabeled nodes and fields which are not in the declared type of the variables.

To determine a correct approximation of the conditional “ $\mathtt{if\ }v\\mathtt{=null}$ ” we check whether $\ell(v)=\bot$ . If this is the case, then we know that v is null and we evaluate $com_1$ . Otherwise, we evaluate both branches and compute the lub. When evaluating the first branch, we may improve precision by using the auxiliary operator $\mathbb{G}_{|v={\mathord{\mathtt{null}}}}$ (Section 6.1.3) which returns a correct approximation of the program states $\{ \phi \mathbin{\star} \mu \mid \alpha(\phi\mathbin{\star} \mu) \preceq \mathbb{G} \wedge \phi(v)={\mathord{\mathtt{null}}} \}$ , that is, the states correctly approximated by $\mathbb{G}$ where v is ${\mathord{\mathtt{null}}}$ . Note that, since our domain does not model definite non-nullness, there is no way to define a projection $\mathbb{G}_{|v\neq{\mathord{\mathtt{null}}}}$ to improve the input for $\mathcal{SC}_{{\tau}}^{{I}}\unicode{x0301A}{{\mathit{com}_2}}\unicode{x0301B}$ as in $\mathcal{SC}_{{\tau}}^{{I}}\unicode{x0301A}{{\mathit{com}_1}}\unicode{x0301B}(\mathbb{G}_{|v={\mathord{\mathtt{null}}}})$ .

Similarly for the conditional “ $\mathtt{if\ }v\ \mathtt{=}\ w$ ” where we use another auxiliary operator $\mathbb{G}_{|v=w}$ (Section 6.1.4) which returns a correct approximation of the set of program states $\{ \phi \mathbin{\star} \mu \mid \alpha(\phi \mathbin{\star} \mu) \preceq \mathbb{G} \wedge\phi(v)=\phi(w) \}$ . Again, since our domain does not model definite not aliasing, we cannot improve the input for the second branch.

The composition of commands is denoted by functional composition over $\mathsf{ALPS}$ , where the identity map $\lambda s\in \mathsf{ALPS}_\tau.s$ is needed when $p=0$ . The evaluation of $v.{\mathord{\mathtt{f}}} \mathbin{\mathtt{\unicode{x02254}}} \mathit{exp}$ in Figure 22 is the most complex operation of the abstract semantics. Although it may seem similar to the assignment $v \mathbin{\mathtt{\unicode{x02254}}} \mathit{exp}$ , we must take into account that v might be aliased to many different nodes. The candidates are those variables, denoted by $V_{comp}$ , which share with $\ell(v)$ and have compatible types. For each node labeled by a variable in $V_{comp}$ , we add a new fresh node in $N_{new}$ pointed by an edge (labeled by the field ${\mathord{\mathtt{f}}}$ ) in $E_{new}$ . Finally, all possible sharing and nonlinearity are added. A slightly different treatment is devoted to the special case when the result of the expression is definitely ${\mathord{\mathtt{null}}}$ .

6.4 Abstract semantics of method call

The concrete semantics of the method call $v.\mathtt{m(}v_1,\ldots,v_n\mathtt{)}$ builds an input state containing the local variables $w_1,\ldots,w_n$ and the special variable $\mathit{this}$ , and executes the method body. In order to improve the precision of methods call, we also use a copy of the local variables $w'_1,\ldots,w'_n$ which will be used when returning from the method call to match the original variables $v_1,\ldots,v_n$ . This allows a change to the object pointed by $w_i$ to be distinguished from a change to $w_i$ itself.

When a method $v.{\mathord{\mathtt{m}}}$ is called, the class of v is inspected and the correct overloaded method for ${\mathord{\mathtt{m}}}$ is selected. The abstract domain contains only a partial information on the runtime class of v, since we only know that the class of v must be a superclass of the class of any variable aliased with v, namely a superclass of $\tau_G(\ell(v))$ . We exploit this information in computing the abstract semantics of a method call in Figure 23. In practice, we conservatively assume that every method ${\mathord{\mathtt{m}}}$ in any subclass of $\tau_G(\ell(v))$ may be called. Note that methods defined only in superclasses of $\kappa$ are already considered in $\kappa$ .

When exiting from a method call, we need to rename ${\mathord{\mathtt{out}}}$ into ${\mathord{\mathtt{res}}}$ since, from the point of view of the caller, the returned value of the callee ( ${\mathord{\mathtt{out}}}$ ) is the value of the method call expression ( ${\mathord{\mathtt{res}}}$ ). We use an auxiliary operation $match_{v.{\mathord{\mathtt{m}}}}$ which, given an initial and final state, updates the initial state trying to guess a possible matching of variables in the abstract states. The definition of $match_{v.{\mathord{\mathtt{m}}}}$ is given in Figure 24.

Figure 24. The $match_{v.{\mathord{\mathtt{m}}}}$ auxiliary operation.

Theorem 87. The abstract semantics formalized in Figures 2024 is correct wrt the concrete semantics in Section 2.2.2.

Analougously to the concrete case, we may define an abstract transformer which, given a $\mathsf{ALPS}$ interpretation I, returns a new $\mathsf{ALPS}$ interpretation I’ such that

\begin{equation*}\begin{array}{lll}I'(\kappa.{\mathord{\mathtt{m}}}) &=&(\lambda \mathbb{G} \in \mathsf{ALPS}_{\mathit{scope}(\kappa.{\mathord{\mathtt{m}}})}.\mathbb{G} _{\Vert dom(\mathit{output}(\kappa.{\mathord{\mathtt{m}}}))}) \ \circ \\&& \mathcal{SC}_{{\mathit{scope}(\kappa.{\mathord{\mathtt{m}}})}}^{{I}}\unicode{x0301A}{{\mathit{body}(\kappa.{\mathord{\mathtt{m}}})}}\unicode{x0301B} \ \circ \\ && (\lambda \mathbb{G} \in \mathsf{ALPS}_{\mathit{input}(\kappa.{\mathord{\mathtt{m}}})}. N \mathbin{\star} E \mathbin{\star} \ell' \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl})\end{array}\end{equation*}

where $\ell' = \ell[w'_1 \mapsto \ell(w_1),\ldots, w'_n \mapsto \ell(w_n)]$ .

The new interpretation returned by the abstract transformer is computed by first adding primed variables which are used to hold a copy of the original actual parameters, then evaluating the body of the method and finally restricting the graph to the output variables. The abstract denotational semantics is the least fixpoint of this transformer.

Theorem 88. The abstract denotational semantics is correct wrt the concrete one.

Example 89. Consider the method $\mathtt{Tree}.{\mathord{\mathtt{makeTree}}}$ in Section 1.4, where

\begin{align*}\begin{split}\mathit{scope}(\mathtt{Tree}.{\mathord{\mathtt{makeTree}}})=[ & {\mathord{\mathtt{this}}} \mapsto \mathtt{Tree}, n\mapsto \mathtt{Integer}, n' \mapsto \mathtt{Integer},m \mapsto \mathtt{Integer},{\mathord{\mathtt{out}}} \mapsto \mathtt{Tree}].\end{split}\end{align*}

We can compute a new $\mathsf{ALPS}$ interpretation from the least informative $\mathsf{ALPS}$ interpretation $I_\bot(\mathtt{Tree}.{\mathord{\mathtt{makeTree}}}) = \lambda\mathbb{G}.\bot_{{\mathord{\mathtt{out}}}(\mathtt{Tree}.{\mathord{\mathtt{makeTree}}})}$ :

\begin{equation*}\begin{split} I^1(\mathtt{Tree}.{\mathord{\mathtt{makeTree}}})(\mathbb{G})= & N \cup \{n_{out}\} \mathbin{\star} E \mathbin{\star} {} \ell[n' \mapsto \ell(n), out \mapsto n_{out}] \mathbin{\star} \mathit{sh} \cup \{\{n_{out}\}\} \mathbin{\star} \mathit{nl} \end{split}\end{equation*}

Now, starting from $I^1(\mathtt{Tree}.{\mathord{\mathtt{makeTree}}})$ , we can compute a new interpretation as follows:

\begin{equation*}\begin{split} &I^2(\mathtt{Tree}.{\mathord{\mathtt{makeTree}}})(\mathbb{G})= N \cup \{n_{out}, n_{out.l},n_{out.r},\} \mathbin{\star} {}\\ & \qquad E \cup \{n_{out} \xrightarrow{{\mathord{\mathtt{l}}}} n_{out.l}, n_{out} \xrightarrow{{\mathord{\mathtt{r}}}} n_{out.r} \}\mathbin{\star} {} \\ & \qquad \ell[n' \mapsto \ell(n), out \mapsto n_{out} ] \mathbin{\star} {}\\ & \qquad \mathit{sh} \cup \{\,\{n_{out}\}, \{n_{out.l}\},\{n_{out.r}\}, \{n_{out},n_{out.l} \}, \{n_{out},n_{out.r} \}\, \}\mathbin{\star} \mathit{nl} \end{split}\end{equation*}

which is the least fixpoint. Relatively to the case $\ell(n)\neq {\mathord{\mathtt{null}}}$ , the abstract states $I^1(\mathtt{Tree}.{\mathord{\mathtt{makeTree}}})(\mathbb{G})$ and $I^2(\mathtt{Tree}.{\mathord{\mathtt{makeTree}}})(\mathbb{G})$ are depicted in Figure 25. From this graph, it appears that the tree generated by this method is linear and does not share with ${\mathord{\mathtt{this}}}$ (the object on which we call the makeTree method). Moreover since n and n’ are aliased we know that the method does not modify the variable n.

Figure 25. $\mathsf{ALPS}$ interpretations for the makeTree method.

7. Related Work

Sharing properties has been deeply studied for logic programs, see for instance: Jacobs and Langen (Reference Jacobs and Langen1992), Hans and Winkler (Reference Hans and Winkler1992), Muthukumar and Hermenegildo (Reference Muthukumar and Hermenegildo1992), Codish et al. (Reference Codish, SØndergaard and Stuckey1999), Bagnara et al. (Reference Bagnara, Hill and Zaffanella2002), and Amato and Scozzari (Reference Amato and Scozzari2009). The large literature on this topic has been the starting point for designing our enhanced abstract domain for sharing analysis. In particular, the use of a linearity property, for example, Codish et al. (Reference Codish, Dams and Yardeni1991), Hans and Winkler (Reference Hans and Winkler1992), Muthukumar and Hermenegildo (Reference Muthukumar and Hermenegildo1992), King (Reference King1994), and Amato and Scozzari (Reference Amato and Scozzari2010, Reference Amato and Scozzari2014), has proved to be very useful when dealing with sharing information (see Bagnara et al. Reference Bagnara, Zaffanella and Hill2005 for a comparative evaluation).

Outside of the logic programming community, sharing information is generally regarded as a by-product of shape analysis. One of the first papers that explicitly deals with sharing information is Jones and Muchnick (Reference Jones and Muchnick1979), which presents a combined intra-procedural analysis of aliasing, reachability, and cyclicity for imperative and functional languages with records. The focus of their analysis is not pair sharing, but detecting the set of shared nodes, that is, heap cells which may be reached by variables using at least two different paths. Shared nodes and cyclicity are used to optimize memory management.

The property of sharing for object-oriented languages has been studied in a few works. Secci and Spoto (Reference Secci and Spoto2005a) propose a simple domain of pair sharing for a simple Java-like language and MÉndez-Lojo and Hermenegildo (Reference MÉndez-Lojo and Hermenegildo2008) extend this domain proposing a combined analysis of set sharing, nullness, and classes for exactly the same language. The main differences of our paper w.r.t. these proposals are

  • the $\mathsf{ALPS}$ abstract domain encodes linearity and aliasing information, in addition to sharing;

  • the analysis is field sensitive, that is, information is encoded at the level of the fields of the objects.

The analysis in Secci and Spoto (Reference Secci and Spoto2005a) has also been refined by Zanardini (Reference Zanardini2018) which proposes a field-sensitive sharing analysis for a very similar language. Linearity information is not exploited in this paper either.

Pollet et al. (Reference Pollet, Le Charlier and Cortesi2001) propose a framework for the analysis of object-oriented languages and introduce two abstract domains for definite aliasing and possible aliasing, respectively. The abstract objects of these domains are similar to aliasing graphs, but without being restricted to two levels. Termination is guaranteed by widening. These domains may be enriched by providing type information for the leaves of the graphs. However, they do not consider sharing or linearity properties.

In the context of pure functional programming with no destructive updates, sharing is just an implementation detail and has not impact on the behavior of the program. Nonetheless, sharing analysis may help in optimizing program execution. For example, the first part of Jones and Muchnick (Reference Jones and Muchnick1979) deals with sharing in pure functional programs in order to avoid the use of garbage collection and reference counting.

More recently, PeÑa-MarÍ et al. (Reference PeÑa-MarÍ, Segura and Montenegro2006) present a pair-sharing analysis for SAFE, which is a functional language with explicit control for copy and destruction of data structures. The result of the analysis is used during type checking. Due to the particular features of the programming language, the sharing analysis distinguishes between generic sharing and sharing of recursive substructures (e.g., two lists share a recursive substructure when they have a common tail). The analysis is field insensitive and cannot represent neither definite aliasing nor definite nullness and linearity. This analysis has been vastly improved in Montenegro et al. (Reference Montenegro, PeÑa and Segura2015), where each pair of sharing variables is annotated with the set of possible paths through which the sharing may happen. Although definite aliasing and definite nullness are still not representable in the new domain, definite linearity is inferable by the extended pair-sharing information: if x shares with itself only through the empty path, then x is linear.

8. Conclusions

We propose the new abstract domain $\mathsf{ALPS}$ which combines aliasing, linearity, and sharing analysis for an object-oriented language and provide all the necessary abstract operations.

The combination with linearity information allows us to improve the precision of the analysis in blocks of assignments, method calls, and thus on recursion. This is a fundamental issue that has not been considered in any previous analysis. We have shown in Section 1.4 a simple example where linearity plays a fundamental role in proving that two subtrees do not share. More generally, an important point is that linearity information allows us to distinguish a tree from a direct acyclic graph (DAG). For instance, the result of makeTree in Figure 8 is a tree. However, the abstract representation of a tree in any abstract domain containing only information about reachability, sharing, acyclicity, nullness, and aliasing (and the corresponding negated properties such as cyclicity, non-nullness, etc.) cannot be distinguished from the abstraction of a DAG. For example, the data structure ${\mathord{\mathtt{t2}}}$ :

Tree t2 = new Tree ()t2.l = new Tree ()t2.r = new Tree ()t2.l.l = new Tree ()t2.l.r = t2.l.l

has the same sharing, acyclicity, nullness, etc. properties of a tree, but ${\mathord{\mathtt{t2}}}$ is not linear, while ${\mathord{\mathtt{t}}}$ in Figure 8 is linear. At the end of the method useTree, ${\mathord{\mathtt{left}}}$ is equal to ${\mathord{\mathtt{t}}}.{\mathord{\mathtt{l}}}.{\mathord{\mathtt{l}}}$ , ${\mathord{\mathtt{right}}}$ is ${\mathord{\mathtt{t}}}.{\mathord{\mathtt{l}}}.{\mathord{\mathtt{r}}}$ , but they do not share since ${\mathord{\mathtt{t}}}$ is a tree. However, ${\mathord{\mathtt{t2}}}.{\mathord{\mathtt{l}}}.{\mathord{\mathtt{l}}}$ and ${\mathord{\mathtt{t2}}}.{\mathord{\mathtt{l}}}.{\mathord{\mathtt{r}}}$ share. Linearity allows to distinguish these two situations. None of the works discussed in Section 7 can distinguish a DAG from a tree, with the exception of Montenegro et al. (Reference Montenegro, PeÑa and Segura2015) which cannot be directly applied to a Java-like language since it does not support updates.

Regarding modularity of the analysis, although the most precise results are obtained by analyzing the entire program as a whole, it is possible to analyze single libraries (or even single methods) by assuming the every external method returns the largest possible abstract object. In this way, when a real object will we plugged in the final program, its behavior will be correctly abstracted.

From the point of view of performance, note that in a domain which tracks possible sharing information, it usually happens that the more precise an abstract object is, the smaller its representation is. For example, the best correct abstraction of a concrete state where no sharing happens is an $\mathsf{ALPS}$ graph without edges. However, if our analysis is not precise enough to compute the best correct abstraction, some edges will be included in the abstract object, which may negatively impact the performance of succeeding operations. Therefore, improving the precision of the analysis, from the one side, increases the computational cost, but from the other side may lead to smaller abstract objects which partially compensates this cost. A detailed evaluation of the trade-off between precision and performance may only be conducted experimentally. We plan to carry on this evaluation once we implement $\mathsf{ALPS}$ as an abstract domain for the $\mathsf{Jandom}$ static analyzer (Amato et al. Reference Amato, Di Nardo Di Maio and Scozzari2013).

Although we have presented $\mathsf{ALPS}$ graphs in the context of object-oriented programs, the same domain can be immediately applied to functional programs. In this regard, note that the example program in Figure 8 may be rewritten in functional style and the benefits of linearity are the same already discussed for object-oriented programs.

The domain of $\mathsf{ALPS}$ graphs may be easily extended by annotating nodes with additional information in a modular way. For example, class analysis might be integrated by adding a set of possible classes for each node, while nodes representing numerical entities may be annotated with intervals for integrating range analysis. Obviously, if we want to maximize the benefits of the integration, at the very least, new operators should be devised which use the information of one domain to improve the precision of the other.

To the best of our knowledge, this is the first attempt to combine sharing with linearity for imperative or object-oriented languages.

Conflicts of Interests

The authors declare none.

Appendix A. Proofs

A.1 Reachability, sharing, linearity, and aliasing

A.1.1 Reachability among locations

Proposition 90. Given $\sigma=\phi\mathbin{\star}\mu \in \Sigma_\tau$ , $l \in dom(\mu)$ , $\bar {\mathord{\mathtt{f}}}$ a possible empty sequence of identifiers, if $l.\bar {\mathord{\mathtt{f}}}$ exists, then either $l.\bar {\mathord{\mathtt{f}}}={\mathord{\mathtt{null}}}$ or $l.\bar {\mathord{\mathtt{f}}} \in dom(\mu)$ .

Proof. Assume that $l.\bar{\mathord{\mathtt{f}}}$ exists. The proof is by induction on the length of $\bar{\mathord{\mathtt{f}}}$ . If $\bar{\mathord{\mathtt{f}}}$ is empty, then $l.\bar{\mathord{\mathtt{f}}} =l$ , which is in $dom(\mu)$ by hypothesis. Otherwise $\bar {\mathord{\mathtt{f}}}=\bar {\mathord{\mathtt{f}}}_1 {\mathord{\mathtt{f}}}_2$ and $l.\bar {\mathord{\mathtt{f}}} = (l.\bar {\mathord{\mathtt{f}}}_1).{\mathord{\mathtt{f}}}_2$ . By inductive hypothesis, $l' = l.\bar {\mathord{\mathtt{f}}}_1$ is either ${\mathord{\mathtt{null}}}$ or an element of $dom(\mu)$ . If $l' = {\mathord{\mathtt{null}}}$ , then $l'.{\mathord{\mathtt{f}}}_2= l.\bar {\mathord{\mathtt{f}}}$ does not exists, which contradicts the hypothesis, hence $l' \in dom(\mu)$ . Since $l'.{\mathord{\mathtt{f}}}_2$ exists, then ${\mathord{\mathtt{f}}}_2 \in dom(\mu(l').\phi)$ . By $\tau$ -correctness of $\sigma$ we have that $\mu(l').\phi \mathbin{\star} \mu$ is weakly $\mu(l').\kappa$ -correct. This implies that either $l.\bar {\mathord{\mathtt{f}}} = l.\bar {\mathord{\mathtt{f}}}_1{\mathord{\mathtt{f}}}_2= l'.{\mathord{\mathtt{f}}}_2 = {\mathord{\mathtt{null}}}$ , or $l.\bar {\mathord{\mathtt{f}}} = l.\bar {\mathord{\mathtt{f}}}_1{\mathord{\mathtt{f}}}_2= l'.{\mathord{\mathtt{f}}}_2 \in dom(\mu)$ .

Proposition 11. Given $\sigma=\phi\mathbin{\star}\mu \in \Sigma_\tau$ , ${\mathord{\mathtt{f}}}$ an identifier and $l, l' \in dom(\mu)$ , then:

  1. (1). $l.{\mathord{\mathtt{f}}}$ exists iff $\tau(l).{\mathord{\mathtt{f}}}$ exists;

  2. (2). if $l.{\mathord{\mathtt{f}}}$ exists and $l.{\mathord{\mathtt{f}}}\neq {\mathord{\mathtt{null}}}$ , then $\tau(l.{\mathord{\mathtt{f}}}) \leq\tau(l).{\mathord{\mathtt{f}}}$ .

Proof. Let us prove the first property. It is the case that $l.{\mathord{\mathtt{f}}}$ exists iff ${\mathord{\mathtt{f}}} \in dom(\mu(l).\phi)$ . By $\tau$ -correctness, $dom(\mu(l).\phi) =dom(\mu(l).\kappa) = dom(\tau(l))$ . Hence $l.{\mathord{\mathtt{f}}}$ exists whenever ${\mathord{\mathtt{f}}} \in dom(\tau(l))$ iff $\tau(l).{\mathord{\mathtt{f}}}$ exists.

We now prove the second property. Since $l.{\mathord{\mathtt{f}}}$ exists, then l exists and $\mu(l) \in rng(\mu)$ . By this reason and $\tau$ -correctness of $\sigma$ , we have that $\mu(l).\phi \mathbin{\star} \mu$ is weakly $\mu(l).\kappa$ -correct. If we consider what this means for the identifier ${\mathord{\mathtt{f}}}$ , and since $l.{\mathord{\mathtt{f}}}=\mu(l).\phi({\mathord{\mathtt{f}}}) \neq {\mathord{\mathtt{null}}}$ by hypothesis, we have that $\mu(\mu(l).\phi({\mathord{\mathtt{f}}})).\kappa \leq \mu(l).\kappa({\mathord{\mathtt{f}}})$ . By just applying the definitions, we have that $\mu(\mu(l).\phi({\mathord{\mathtt{f}}})).\kappa = \tau(l.{\mathord{\mathtt{f}}})$ while $\mu(l).\kappa({\mathord{\mathtt{f}}}) = \tau(l).{\mathord{\mathtt{f}}}$ .

Proposition 16. Given $\sigma =\phi\mathbin{\star}\mu \in \Sigma_\tau$ and locations $l_1, l_2 \in dom(\mu)$ , we have that $l_1$ shares with $l_2$ iff $\mathord{\mathit{RLoc_\sigma}}(l_1) \cap \mathord{\mathit{RLoc_\sigma}}(l_2) \neq \emptyset$ .

Proof. If $l_1$ and $l_2$ share, then there are sequences of identifiers $\bar{{\mathord{\mathtt{f}}}}_1$ and $\bar{{\mathord{\mathtt{f}}}}_2$ such that $l_1.\bar{{\mathord{\mathtt{f}}}}_1 = l_2.\bar{{\mathord{\mathtt{f}}}}_2 \neq {\mathord{\mathtt{null}}}$ . Let l be $l_1.\bar{{\mathord{\mathtt{f}}}}_1$ , we have that $l \in \mathord{\mathit{RLoc_\sigma}}(l_1)$ and $l \in \mathord{\mathit{RLoc_\sigma}}(l_2)$ .

A.1.2 Reachability among identifiers

Proposition 91. Given $\sigma= \phi \mathbin{\star} \mu \in \Sigma_\tau$ and $v.{\mathord{\mathtt{f}}} \in Q_\tau$ then $\phi(v.{\mathord{\mathtt{f}}})$ exists.

Proof. If $\phi(v) = {\mathord{\mathtt{null}}}$ , then $\phi(v.{\mathord{\mathtt{f}}}) = {\mathord{\mathtt{null}}}$ by definition. If $\phi(v) \neq {\mathord{\mathtt{null}}}$ , then $\phi(v) \in dom(\mu)$ . By $\tau$ -correctness, the runtime class of v is a subtype of the declared class, that is, $\tau(\phi(v)) \leq \tau(v)$ . By properties of subtyping, if $\tau(v).{\mathord{\mathtt{f}}}$ exists, then also $\tau(\phi(v)).{\mathord{\mathtt{f}}}$ exists and, by Proposition 11 (1), $\phi(v).{\mathord{\mathtt{f}}} = \phi(v.{\mathord{\mathtt{f}}})$ exists.

Proposition 21. For each $i \in I_\tau$ and $\sigma= \phi\mathbin{\star}\mu\in\Sigma_\tau$ , we have that $\phi(i) \neq {\mathord{\mathtt{null}}}$ implies $\tau(\phi(i)) \leq \tau(i)$ .

Proof. If i is a variable in $dom(\tau)$ and $\phi(i) \neq {\mathord{\mathtt{null}}}$ , then $\tau(\phi(i)) \leq \tau(i)$ by weakly $\tau$ -correctness. If $i = v.{\mathord{\mathtt{f}}}$ is a qualified field, since $\phi(i) \neq {\mathord{\mathtt{null}}}$ then $\phi(v) \neq {\mathord{\mathtt{null}}}$ and, by Proposition 91, $\phi(v.{\mathord{\mathtt{f}}})= \phi(v).{\mathord{\mathtt{f}}}$ . Hence $\tau(\phi(v.{\mathord{\mathtt{f}}}))=\tau(\phi(v).{\mathord{\mathtt{f}}})$ . By Proposition 11 (2), $\tau(\phi(v).{\mathord{\mathtt{f}}}) \leq\tau(\phi(v)).{\mathord{\mathtt{f}}}$ . Since $\phi(v) \neq {\mathord{\mathtt{null}}}$ , by weak $\tau$ -correctness, we have $\tau(\phi(v)) \leq \tau(v)$ and, by property of subtyping, $\tau(\phi(v)).{\mathord{\mathtt{f}}} =\tau(v).{\mathord{\mathtt{f}}} = \tau(v.{\mathord{\mathtt{f}}})$ , concluding the proof.

Proposition 25. Let $\sigma = \phi \mathbin{\star} \mu \in \Sigma_\tau$ and $v \in dom(\tau)$ . If $\phi(v)\neq{\mathord{\mathtt{null}}}$ , then

\begin{equation*} \mathord{\mathit{RLoc_\sigma}}(v) \supseteq \{ \phi(v) \} \cup \bigcup_{v.{\mathord{\mathtt{f}}} \in Q_\tau} \mathord{\mathit{RLoc_\sigma}}(v.{\mathord{\mathtt{f}}}) \enspace . \end{equation*}

Proof. If $\phi(v) \neq {\mathord{\mathtt{null}}}$ , then $\phi(v)\in dom(\mu)$ . Moreover, by Proposition 90, if $\phi(v).{\mathord{\mathtt{f}}}$ exists and $\phi(v).{\mathord{\mathtt{f}}}\neq {\mathord{\mathtt{null}}}$ , then $\phi(v).{\mathord{\mathtt{f}}}\in dom(\mu)$ . Hence:

\begin{align*} \mathord{\mathit{RLoc_\sigma}}(v) &=\\ &= \{ l \mid \phi(v) \xrightarrow{*}_\sigma l \}\\ &= \{ \phi(v) \} \cup \{ l \mid \phi(v).{\mathord{\mathtt{f}}} \text{ exists} \wedge \phi(v).{\mathord{\mathtt{f}}} \neq {\mathord{\mathtt{null}}} \wedge \phi(v).{\mathord{\mathtt{f}}} \xrightarrow{*}_\sigma l \}\\ &\supseteq \{ \phi(v) \} \cup \{ l \mid v.{\mathord{\mathtt{f}}} \in Q_\tau \wedge \phi(v).{\mathord{\mathtt{f}}} \neq {\mathord{\mathtt{null}}} \wedge \phi(v.{\mathord{\mathtt{f}}}) \xrightarrow{*}_\sigma l \}\\ &=\{ \phi(v) \} \cup \bigcup_{\stackrel{v.{\mathord{\mathtt{f}}} \in Q_\tau}{\phi(v).{\mathord{\mathtt{f}}} \neq {\mathord{\mathtt{null}}}}} \{ l \mid \phi(v.{\mathord{\mathtt{f}}}) \xrightarrow{*}_\sigma l \} \\ &=\{ \phi(v) \} \cup \bigcup_{\stackrel{v.{\mathord{\mathtt{f}}} \in Q_\tau}{\phi(v).{\mathord{\mathtt{f}}} \neq {\mathord{\mathtt{null}}}}} \mathord{\mathit{RLoc_\sigma}}(v.{\mathord{\mathtt{f}}}) \\ &=\{ \phi(v) \} \cup \bigcup_{v.{\mathord{\mathtt{f}}} \in Q_\tau} \mathord{\mathit{RLoc_\sigma}}(v.{\mathord{\mathtt{f}}}) \end{align*}

which concludes the proof.

A.1.3 Class-induced reachability

Proposition 29. Given $\sigma = \phi \mathbin{\star} \mu \in \Sigma_\tau$ and $l_1, l_2 \in dom(\mu)$ , if $l_1 \xrightarrow{*}_\sigma l_2$ , then $\tau(l_1) \xrightarrow{*} \tau(l_2)$ .

Proof. If $l_1 = l_2$ , then $\tau(l_1) \xrightarrow{*}_\sigma \tau(l_2)$ . Otherwise, it is enough to prove that $l_1 \xrightarrow{}_\sigma l_2$ implies $\tau(l_1) \xrightarrow{} \tau(l_2)$ . If $l_1 \xrightarrow{}_\sigma l_2$ , then $l_2=l_1.{\mathord{\mathtt{f}}}$ for some ${\mathord{\mathtt{f}}}$ , $\tau(l_2)= \tau(l_1.{\mathord{\mathtt{f}}}) \leq \tau(l_1).{\mathord{\mathtt{f}}}$ , hence $\tau(l_1) \rightarrow \tau(l_2)$ .

The operator C for class reachability is downward closed and monotone w.r.t. subtyping.

Lemma 92. The following properties hold:

  1. (1). $\downarrow C(\kappa) = C(\kappa)$ for each class $\kappa$ ;

  2. (2). $C(\kappa') \subseteq C(\kappa)$ for each $\kappa' \leq \kappa$ .

Proof. The first property immediately descends from the fact that $C(\kappa)=\bigcup_{\kappa'' \leq \kappa} \{ \kappa' \mid \kappa'' \xrightarrow{*} \kappa' \}$ is the union of downward closed sets. The second property is an immediate consequence of the definition of C.

Lemma 93. Given $\sigma = \phi \mathbin{\star} \mu\in \Sigma_\tau$ and $l_1, l_2 \in dom(\mu)$ , if $l_1$ and $l_2$ share, then $C(\tau(l_1))\cap C(\tau(l_2)) \neq \emptyset$ .

Proof. If $l_1$ and $l_2$ share, then by Proposition 16 $\mathord{\mathit{RLoc_\sigma}}(l_1) \cap \mathord{\mathit{RLoc_\sigma}}(l_2) \neq \emptyset$ , that is, there is $l \in \mathord{\mathit{Loc}}$ s.t. $l_1 \xrightarrow{*}_\sigma l$ and $l_2 \xrightarrow{*}_\sigma l$ . By Proposition 29, this implies $\tau(l_1) \xrightarrow{*} \tau(l)$ and $\tau(l_2) \xrightarrow{*} \tau(l)$ , which implies $\tau(l) \in C(\tau(l_1))\cap C(\tau(l_2))$ .

Proposition 32. Given $i_1, i_2 \in I_\tau$ , and $\sigma \in \Sigma_\tau$ , if $i_1$ and $i_2$ share in $\sigma$ , then $(\tau(i_1), \tau(i_2)) \in {SH}$ .

Proof. If $i_1$ and $i_2$ share, then $\phi(i_1) \neq {\mathord{\mathtt{null}}} \neq \phi(i_2)$ and $\phi(i_1)$ shares with $\phi(i_2)$ . By Lemma 93, $C(\tau(\phi(i_1)))\cap C(\tau(\phi(i_2))) \neq \emptyset$ . By Proposition 21, $\tau(\phi(i_1)) \leq \tau(i_1)$ and $\tau(\phi(i_2)) \leq \tau(i_2)$ . Then by Lemma 92, $C(\tau(i_1))\cap C(\tau(i_2)) \neq \emptyset$ .

Lemma 94. Given $\phi \mathbin{\star} \mu \in \Sigma_\tau$ and $l \in dom(\mu)$ , if l is not linear, then $\tau(l) \in {NL}$ .

Proof. If l is not linear, by Definition 14, there are two sequences $\bar {\mathord{\mathtt{f}}}_1 \neq \bar {\mathord{\mathtt{f}}}_2$ such that $l.\bar {\mathord{\mathtt{f}}}_1=l.\bar {\mathord{\mathtt{f}}}_2 \neq {\mathord{\mathtt{null}}}$ . We prove by induction on the shortest among $\bar {\mathord{\mathtt{f}}}_1$ and $\bar {\mathord{\mathtt{f}}}_2$ that $\tau(i) \in {NL}$ . There are several cases:

  • $\bar{\mathord{\mathtt{f}}}_1$ is empty. Then $\bar {\mathord{\mathtt{f}}}_2 = {\mathord{\mathtt{f}}} \cdot \bar{\mathord{\mathtt{f}}}'_2$ for some ${\mathord{\mathtt{f}}}$ , and $l.{\mathord{\mathtt{f}}}.\bar {\mathord{\mathtt{f}}}'_2 = l$ . This means $l.{\mathord{\mathtt{f}}} \xrightarrow{*}_\sigma l$ , hence by Proposition 29, $\tau(l.{\mathord{\mathtt{f}}}) \xrightarrow{*} \tau(l)$ , that is, $\tau(l) \in C(\tau(l.{\mathord{\mathtt{f}}})) \subseteq C(\tau(l).{\mathord{\mathtt{f}}})$ , where the last inclusion follows by Proposition 11 (2) and Lemma 92 (2). Hence, we have $\tau(l) \in {NL}$ .

  • $\bar{\mathord{\mathtt{f}}}_2$ is empty. The proof is the same as for the previous point.

  • $\bar{\mathord{\mathtt{f}}}_1 = {\mathord{\mathtt{f}}}_1 \cdot \bar {\mathord{\mathtt{f}}}'_1$ and $\bar{\mathord{\mathtt{f}}}_2 = {\mathord{\mathtt{f}}}_2 \cdot \bar {\mathord{\mathtt{f}}}'_2$ with ${\mathord{\mathtt{f}}}_1 \neq {\mathord{\mathtt{f}}}_2$ . Then $l.{\mathord{\mathtt{f}}}_1$ and $l.{\mathord{\mathtt{f}}}_2$ share, hence by Lemma 93 $C(\tau(l.{\mathord{\mathtt{f}}}_1)) \cap C(\tau(l.{\mathord{\mathtt{f}}}_2)) \neq \emptyset$ . By Proposition 11 (2) and by monotonicity of C, that is, Lemma 92 (2), $C(\tau(l).{\mathord{\mathtt{f}}}_1) \cap C(\tau(l).{\mathord{\mathtt{f}}}_2) \neq \emptyset$ , hence $\tau(l) \in {NL}$ .

  • $\bar{\mathord{\mathtt{f}}}_1 = {\mathord{\mathtt{f}}} \cdot \bar {\mathord{\mathtt{f}}}'_1$ and $\bar{\mathord{\mathtt{f}}}_2 = {\mathord{\mathtt{f}}} \cdot \bar {\mathord{\mathtt{f}}}'_2$ . Then $\bar{\mathord{\mathtt{f}}}'_1 \neq \bar{\mathord{\mathtt{f}}}'_2$ and $l.{\mathord{\mathtt{f}}}$ is not linear. By inductive hypothesis, $\tau(l.{\mathord{\mathtt{f}}}) \in {NL}$ . Since $l \rightarrow l.{\mathord{\mathtt{f}}}$ then, by Proposition 29, $\tau(l) \rightarrow \tau(l.{\mathord{\mathtt{f}}})$ , hence $\tau(l) \in {NL}$ .

This concludes the proof.

Proposition 34. Given $\sigma \in \Sigma_\tau$ and $i \in I_\tau$ , if i is not linear in $\sigma$ , then $\tau(i) \in {NL}$ .

Proof. If i is not linear, then $\phi(i) \neq {\mathord{\mathtt{null}}}$ is not linear, hence, by Lemma 94 $\tau(\phi(i)) \in {NL}$ . Since by Proposition 21, $\tau(\phi(i)) \leq \tau(i)$ and NL is upward closed, then $\tau(i) \in {NL}$ .

A.2 Aliasing graphs and aliasing morphisms

The following proposition relates edges in aliasing graphs with reachability among classes.

Proposition 95. Given an aliasing graph G and nodes $n, m \in N$ , we have that:

  • if $n \xrightarrow{{\mathord{\mathtt{f}}}} m$ , then $\psi_G(n) \xrightarrow{ } \tau_G(m)$ ;

  • if there is a path from n to m, then $\tau_G(m) \in C(\tau_G(n))$ .

Proof. For the first point, if $n \xrightarrow{{\mathord{\mathtt{f}}}} m$ there is $v \in dom(\tau)$ such that $\ell(v)=n$ and $\ell(v.{\mathord{\mathtt{f}}})=m$ . By definition of $\tau$ , we have $\tau_G(m) \leq\tau(v.{\mathord{\mathtt{f}}})=\tau(v).{\mathord{\mathtt{f}}}$ . Moreover, $\psi_G(n) \leq \tau(v)$ . Since fields cannot be redefined in subclasses, $\tau(v).{\mathord{\mathtt{f}}} = \psi_G(n).{\mathord{\mathtt{f}}}$ , hence the thesis. The second point is an immediate corollary.

In the following, we show that $\ell(v.{\mathord{\mathtt{f}}})$ only depends on $\ell(v)$ and not on v itself.

Lemma 96. Given two aliasing graphs $G_1, G_2 \in \mathcal{G}_\tau$ , the following properties are true for every $h: G_1 \rightarrow G_2$ :

  • if $n \xrightarrow{{\mathord{\mathtt{f}}}} m \in E_1$ and $h(m) \neq \bot$ , then $h(n) \xrightarrow{{\mathord{\mathtt{f}}}} h(m)\in E_2$ ;

  • if $n \in N_1$ and $h(n) \neq \bot$ , then $\tau_{G_1}(n) \geq\tau_{G_2}(h(n))$ and $\psi_{G_1}(n) \geq\psi_{G_2}(h(n))$ ;

  • for each $n_2 \in N_2$ , there is $n_1 \in N_1$ s.t. $h(n_1)=n_2$ , $\tau_{G_1}(n_1) =\tau_{G_2}(n_2)$ and $\psi_{G_1}(n_1) =\psi_{G_2}(n_2)$ .

Proof. For the first point, let $n \xrightarrow{{\mathord{\mathtt{f}}}} m \in E_1$ . There exists $v \in dom(\tau)$ such that $\ell_1(v)=n$ and $\ell_1(v.{\mathord{\mathtt{f}}})=m$ . Composing with h, we have $\ell_2(v)=h(n)$ and $\ell_2(v.{\mathord{\mathtt{f}}})=h(m)$ . By definition of $\ell$ for qualified fields, since $h(m) \neq \bot$ then $h(n) \neq \bot$ , too. In turn, this means $h(n) \xrightarrow{{\mathord{\mathtt{f}}}} h(m) \in E_2$ .

For the second point, $\{i \in I_\tau \mid \ell_1(i)=n\} \subseteq\{i \in I_\tau \mid h(\ell_1(i))=h(n)\} = \{i \in I_\tau \mid \ell_2(i)=h(n)\}$ , and therefore $\tau_{G_2}(h(n)) \leq \tau_{G_1}(n)$ and $\psi_{G_1}(n) \geq\psi_{G_2}(h(n))$ .

For the last point, since $\tau(\ell_2^{-1}(n_2))$ is a chain, then $\tau_{G_2}(n_2)= \tau(i)$ for some $i \in I_\tau$ such that $\ell_2(i)=n_2$ . Let $n_1= \ell_1(i)$ , so that $h(n_1)=n_2$ . Obviously, $\tau_{G_1}(n_1) \leq \tau(i) = \tau_{G_2}(n_2)$ . The converse inequality comes from the previous point. The same holds for $\psi_{G_1}$ and $\psi_{G_2}$ .

Proposition 97. Given two aliasing graphs $G_1, G_2 \in \mathcal{G}_\tau$ , the following properties are true for every $h: G_1 \rightarrow G_2$ :

  • h is the unique morphism from $G_1$ to $G_2$ ;

  • h is surjective;

  • h is an isomorphism iff it is total and injective; the inverse morphism is $h^{-1}$ .

Proof. For the first point, assume $h': G_1 \rightarrow G_2$ . Then, for each node $n \in N_1$ , there is an identifier $i \in I_\tau$ such that $\ell_1(i)=n$ . Therefore, $h'(n)=h'(\ell_1(i)) = \ell_2(i) = h(\ell_1(i))= h(n)$ , that is, $h=h'$ . For the second point, given $n \in N_2$ , there is $i \in I_\tau$ such that $n =\ell_2(i)$ . Since $\ell_2(i)=h(\ell_1(i))$ , then n is in the range of h, hence h is surjective. The third point is straightforward.

Since by Proposition 97, there exists a single morphism h between aliasing graphs, it is natural to define a preorder $\sqsubseteq$ on $\mathcal{G}_\tau \times \mathcal{G}_\tau$ by

\begin{equation*}G_1 \sqsubseteq G_2 \iff \exists h: G_2 \rightarrow G_1 \text{ in } \mathcal{G}_\tau\end{equation*}

Lemma 98. Given two aliasing graphs $G_1, G_2 \in \mathcal{G}_\tau$ , $G_2 \sqsubseteq G_1$ , and $i \in I_\tau$ , if $\ell_2(i) \neq \bot$ then $\ell_2^{-1}(\ell_2(i)) \supseteq\ell_1^{-1}(\ell_1(i))$ .

Proof. Since $G_2 \sqsubseteq G_1$ , there exists a morphism $h: G_1 \rightarrow G_2$ . Assume $i \in I_\tau$ such that $\ell_2(i) \neq \bot$ . If $\ell_1(i) = n$ , then $\ell_2(i)=h(n)$ . Therefore, $\ell_2^{-1}(\ell_2(i))=\ell_2^{-1}(h(n)) = \ell_1^{-1}(h^{-1}(h(n))) \supseteq \ell_1^{-1}(n)=\ell_1^{-1}(\ell_1(i))$ , and then the thesis.

Finally, it is possible to characterize the preorder between aliasing graphs without using the concept of morphism of graphs.

Theorem 99. Given $G_1, G_2 \in \mathcal{G}_\tau$ , we have $G_1 \sqsubseteq G_2$ iff $G_1 \preceq G_2$ .

Proof. Assume $G_1 \sqsubseteq G_2$ . By definition there exists $h: G_2 \rightarrow G_1$ . Then, if $\ell_2(i)=\ell_2(i')$ , then $\ell_1(i)=h(\ell_2(i))=h(\ell_2(i'))=\ell_1(i')$ . Moreover, if $\ell_2(i)=\bot$ , then $\ell_1(i)=h(\ell_2(i))=\bot$ .

On the other side, assume $G_1 \preceq G_2$ . For each node $n \in N_2$ , there is $i \in I_\tau$ s.t. $\ell_2(i)=n$ . We let $h(n)=\ell_1(i)$ . This is well defined since if $\ell_2(j)=n$ , then $\ell_1(j)=\ell_1(i)$ . Moreover, it is a graph morphism. Given $i \in I_\tau$ , if $\ell_1(i)=n$ , then $h(\ell_2(i))=\ell_1(i)$ by the definition above. If $\ell_2(i)=\bot$ , then $\ell_1(i)=\bot$ , hence $h(\ell_2(i))=\ell_1(i)$ again.

Theorem 42. Given two aliasing graphs $G_1, G_2$ , there exists a morphism from $G_2$ to $G_1$ if and only if $G_1 \preceq G_2$ . Moreover, the morphism, when it exists, is unique.

Proof. The proof is straightforward by Proposition 97 and Theorem 99.

A.2.1 The lattice of aliasing graphs

First of all, we prove a characterization for least upper bounds.

Lemma 100. Assume given $G_1, G_2, G \in \mathcal{G}_\tau$ such that $G_1 \preceq G$ , $G_2 \preceq G$ , with morphisms $h_1: G \rightarrow G_1$ and $h_2: G \rightarrow G_2$ . Then, G is the least upper bound of $G_1$ and $G_2$ if:

  • $\forall n,m \in N.~ (h_1(n)=h_1(m) \wedge h_2(n)=h_2(m)) \Rightarrow n=m$ ;

  • $\nexists n \in N.~ h_1(n)=h_2(n)=\bot$ .

Proof. First of all, observe that the existence of $h_1$ and $h_2$ follows by Theorem 99. Moreover, note that the two conditions are equivalent to $\forall n,m \in N\cup \{\bot\}.~(h_1(n)=h_1(m) \wedge h_2(n)=h_2(m)) \Rightarrow n=m$ . If the original condition holds and there are $n,m \in N \cup \{\bot\}$ with $h_1(n)=h_1(m) \wedge h_2(n)=h_2(m)$ , we have that: either $n,m \in N$ , and the results follow immediately, or one among n and m is $\bot$ . Assume without loss of generality that $n=\bot$ . Then $h_1(m)=h_2(m)=\bot$ which implies $m=\bot$ by hypothesis, hence $n=m$ . On the converse, if the condition stated above holds and $h_1(n)=h_2(n)=\bot$ , then $h_1(n)=h_1(\bot)$ and $h_2(n)=h_2(\bot)$ , hence $n=\bot$ .

Now, assume this property hold, and we prove that G is the least upper bound. Let G’ such that $G_1 \preceq G'$ and $G_2 \preceq G'$ with corresponding morphisms $h'_1$ and $h'_2$ . We need to build a morphism $h: G' \rightarrow G$ . For each $n \in N'$ , consider a qualified identifier $i \in I_\tau$ such that $\ell'(i)=n$ and we define $h(n)=\ell(i)$ . We prove that h is well defined and that it is a morphism. Assume there are i’,i with $i' \neq i$ , $\ell'(i)=\ell'(i')=n$ . Then $\ell_1(i)=\ell_1(i')$ and $\ell_2(i)=\ell_2(i')$ , that is, $h_1(\ell(i))=h_1(\ell(i'))$ and $h_2(\ell(i))=h_2(\ell(i'))$ . By the alternative formulation of hypothesis, this implies $\ell(i)=\ell(i')$ . Therefore, h is well defined.

Now, we prove $\ell(i)=h(\ell'(i))$ for each $i \in I_\tau$ . If $\ell'(i) \in N'$ , this is immediate, since $h(\ell'(i))$ is $\ell(i')$ for some identifier i’ such that $\ell(i')=\ell(i)$ . Obviously $i'=i$ is a good choice, hence $\ell(i)=h(\ell'(i))$ . If $\ell'(i)=\bot$ , then $\ell_1(i)=\ell_2(i)=\bot$ hence $h_1(\ell(i)) = h_2(\ell(i))=\bot$ . By hypothesis, $\ell(i)=\bot =h(\ell'(i))$ .

Then, using this characterization, we prove that $G_1 \curlyvee G_2$ in Definition 44 is the least upper bound of $G_1$ and $G_2$ .

Theorem 101. The aliasing graph $G_1 \curlyvee G_2$ is the least upper bound of $G_1$ and $G_2$ .

Proof. G is a pre-aliasing graph). First of all, we prove that $G = G_1 \curlyvee G_2$ is a pre-aliasing graph. Given $S_1 \in N$ and ${\mathord{\mathtt{f}}} \in \mathord{\mathit{Ide}}$ , assume that there are $S_2, S'_2$ in N such that $S_1 \xrightarrow{{\mathord{\mathtt{f}}}} S_2$ and $S_1 \xrightarrow{{\mathord{\mathtt{f}}}} S'_2$ . This means there are $v, w \in S_1 \cap \mathord{\mathit{Ide}}$ such that $v \sim w$ , $v.{\mathord{\mathtt{f}}} \in S_2$ and $w.{\mathord{\mathtt{f}}} \in S'_2$ . We need to prove that $S_2 = S'_2$ . Since $v \sim w$ then $\ell_1(v)=\ell_1(w)$ and $\ell_2(v)=\ell_2(w)$ , which implies $\ell_1(v.{\mathord{\mathtt{f}}})=\ell_1(w.{\mathord{\mathtt{f}}})$ , $\ell_2(v.{\mathord{\mathtt{f}}})=\ell_2(w.{\mathord{\mathtt{f}}})$ and in turn, $v.{\mathord{\mathtt{f}}} \sim w.{\mathord{\mathtt{f}}}$ , that is, $S_2 = S'_2$ . Now assume there are $S_1, S_2 \in N$ and ${\mathord{\mathtt{f}}} \in \mathord{\mathit{Ide}}$ with $S_1 \xrightarrow{{\mathord{\mathtt{f}}}} S_2$ . By construction of G, there is $v \in S_1$ s.t. $v.{\mathord{\mathtt{f}}} \in S_2$ . This implies $v \in \mathord{\mathit{Ide}}$ , $v.{\mathord{\mathtt{f}}} \in Q_\tau$ and $\ell(v)=[v]_\sim = S_1$ , proving that the second condition in Definition 35 holds.

A small lemma). Note that $\ell(i)=[i]_\sim$ for any $i \in X$ and $\ell(i)=\bot$ otherwise. This happen by definition when $i \in Ide$ , hence we only need to prove the property for $i=v.{\mathord{\mathtt{f}}} \in Q_\tau$ . When $v.{\mathord{\mathtt{f}}} \in X$ , then $v \in X$ and $[v]_\sim \xrightarrow{{\mathord{\mathtt{f}}}} [v.{\mathord{\mathtt{f}}}]_\sim$ , hence $\ell(v)=[v]_\sim$ and $\ell(v.{\mathord{\mathtt{f}}}) = [v.{\mathord{\mathtt{f}}}]_\sim$ . When $v\notin X$ , then $\ell(v)=\bot$ and $\ell(v.{\mathord{\mathtt{f}}})=\bot$ , too. If $v \in X$ but $v.{\mathord{\mathtt{f}}} \notin X$ , we should prove $\ell(v.{\mathord{\mathtt{f}}})=\bot$ . For the sake of contradiction, assume $\ell(v.{\mathord{\mathtt{f}}})=S$ , that is, there is an arrow $\ell(v)=[v]_\sim \xrightarrow{{\mathord{\mathtt{f}}}} S$ . This means there is $w \in \mathord{\mathit{Ide}}$ such that $w \sim v$ , $w \neq v$ and $w.{\mathord{\mathtt{f}}} \in S$ . Since $w.{\mathord{\mathtt{f}}} \in X$ , then $\ell_1(w.{\mathord{\mathtt{f}}}) \neq \bot \neq \ell_2(w.{\mathord{\mathtt{f}}})$ . But since $v \sim w$ , then $\ell_1(v)=\ell_1(w)$ and $\ell_1(v.{\mathord{\mathtt{f}}})=\ell_1(w.{\mathord{\mathtt{f}}}) \neq \bot$ . The same holds or $\ell_2(v.{\mathord{\mathtt{f}}})$ . Therefore, $v.{\mathord{\mathtt{f}}} \in X$ , which is a contradiction.

Now we prove that G is an aliasing graph. Given $S \in N$ , we need to check that $\{\tau(i) \mid i \in I_\tau \wedge \ell(i)=n\}$ is a chain. Let $i_1, i_2 \in I_\tau$ such that $\ell(i_1)=\ell(i_2) = n$ . Since by the previous small lemma $\ell(i_1)=[i_1]_\sim$ and $\ell(i_2)=[i_2]_\sim$ , we have $\ell_1(i_1)=\ell_1(i_2) \in N_1$ , which means that $\tau(i_1)$ and $\tau(i_2)$ are comparable, since $G_1$ is an aliasing graph.

G is the least upper bound of G 1 and G 2. Finally, we prove that G is the least upper bound of $G_1$ and $G_2$ . Consider the map $h_1: N \rightarrow N_1$ such that $h_1([i]_\sim)=\ell_1(i)$ for any $[i]_\sim \in N$ . If $i \in X$ , then $h_1(\ell(i))=h_1([i]_\sim)=\ell_1(i)$ , otherwise $i \notin \ell_1^{-1}(N_1)$ , hence $h_1(\ell(i))=\bot=\ell_1(i)$ . This means that $h_1: G \rightarrow G_1$ . The same holds for $h_2: G \rightarrow G_2$ . Now, if $h_1([i]_\sim)= h_1([i']_\sim)$ and $h_2([i]_\sim)= h_2([i']_\sim)$ , then $\ell_1(i)=\ell_1(i')$ and $\ell_2(i)=\ell_2(i')$ hence $i \sim i'$ and $[i]_\sim= [i']_\sim$ . Moreover, for each $[i]_{\sim}$ , either $h_1([i]_\sim) =\ell_1(i) \in N_1$ or $h_2([i]_\sim) = \ell_2(i) \in N_2$ . By Lemma 100 follows that G is the least upper bound of $G_1$ and $G_2$ .

Now, we prove that $G_1 \curlywedge G_2$ in Definition 46 is the greatest lower bound of $G_1$ and $G_2$ .

Theorem 102. The aliasing graph $G_1 \curlywedge G_2$ is the greatest lower bound of $G_1$ and $G_2$ .

Proof. Let $G = G_1 \curlywedge G_2$ . The following holds:

G is a pre-aliasing graph). First, we have to prove that $\forall S \in N, \forall {\mathord{\mathtt{f}}} \in \mathord{\mathit{Ide}}$ , there is at most one outgoing edge from S labeled by ${\mathord{\mathtt{f}}}$ . Let $S_1 \in N$ and assume there are edges $S_1 \xrightarrow{{\mathord{\mathtt{f}}}} S_2 $ and $S_1 \xrightarrow{{\mathord{\mathtt{f}}}} S_3 \in E$ . By construction there are $v,w \in S_1$ s.t. $ S_2= [v.{\mathord{\mathtt{f}}} ]_\sim$ and $ S_3= [w.{\mathord{\mathtt{f}}} ]_\sim$ . By definition of G, there is a sequence $v=i_1 \sim \cdots \sim i_t =w$ such that $\ell_1(i_s) =\ell_1(i_{s+1})$ or $\ell_2(i_s) =\ell_2(i_{s+1})$ for each $s \in \{1, \ldots, t-1\}$ . Then, for each $s \in \{1, \ldots, t-1\}$ , either $\ell_1(i_s.{\mathord{\mathtt{f}}}) =\ell_1(i_{s+1}.{\mathord{\mathtt{f}}})$ or $\ell_2(i_s.{\mathord{\mathtt{f}}}) =\ell_2(i_{s+1}.{\mathord{\mathtt{f}}})$ . By definition of $\sim$ , we have that $v.{\mathord{\mathtt{f}}} \sim w.{\mathord{\mathtt{f}}}$ . Therefore, $S_2 = [v.{\mathord{\mathtt{f}}}]_\sim =[w.{\mathord{\mathtt{f}}}]_\sim = S_3$ .

Now, we have to prove that $\forall S_1, S_2 \in N, \forall {\mathord{\mathtt{f}}} \in \mathord{\mathit{Ide}}$ , if $S_1 \xrightarrow{{\mathord{\mathtt{f}}}} S_2$ there exists $v \in dom(\tau)$ such that $\ell(v)=S_1$ and $v.{\mathord{\mathtt{f}}} \in Q_\tau$ . Let $S_1, S_2 \in N$ and let ${\mathord{\mathtt{f}}} \in \mathord{\mathit{Ide}}$ such that $S_1 \xrightarrow{{\mathord{\mathtt{f}}}} S_2$ . By construction, there exists $v \in S_1$ s.t. $v.{\mathord{\mathtt{f}}} \in S_2$ . Obviously, $S_1 = [v]_\sim = \ell(v)$ . Moreover $S_2 =[v.{\mathord{\mathtt{f}}}]_\sim \in N$ and therefore $v.{\mathord{\mathtt{f}}} \in [v.{\mathord{\mathtt{f}}}]_\sim \subseteq \ell_1^{-1}(N_1) \cap \ell_2^{-1}(N_2) \subseteq Q_\tau$ .

A small lemma). Note that $\ell(i)=[i]_\sim$ for any $i \in N$ and $\ell(i)=\bot$ otherwise. The proof is analogous to the one for $\curlyvee$ , hence it is omitted here.

We have to prove that for each $S \in N$ , the set $\{ \tau(i) \mid i \in I_\tau \wedge \ell(i)=S \}$ is a nonempty chain. By construction for each $S \in N$ , there exists $j \in I_\tau$ such that $S=[j]_\sim$ and $\tau([j]_\sim)$ is a chain. Note that $\tau([j]_\sim) = \{ \tau(i) \mid i \in I_\tau \wedge i \sim j\}$ . By the previous small lemma $\tau([j]_\sim) = \{ \tau(i) \mid i \in I_\tau \wedge \ell(i) = \ell(j)\} = \{ \tau(i) \mid i \in I_\tau \wedge \ell(i) = S\}$ which is the require property.

G is a lower bound of G 1 and G 2 . Let us consider the map $h_1: N_1 \rightarrow N$ such that $h_1(n_1)=[i]_\sim$ if $i \in I_\tau$ , $\ell_1(i)=n_1$ and $[i]_{\sim} \in N$ , $h_1(n_1)=\bot$ otherwise. First, we prove that $h_1$ is well defined. Let $j \in I_\tau$ such that $\ell_1(j)=n_1$ . By definition, $i\sim j$ and therefore $[i]_\sim=[j]_\sim \in N$ . Moreover, note that $h_1(\ell_1(i))= [i]_\sim=\ell(i)$ both when $[i]_\sim \in N$ and $[i]_\sim \notin N$ . Therefore, $h_1: G_1 \rightarrow G$ . The same holds for $h_2: G \rightarrow G_2$ .

G is the greatest lower bound of G 1 and G 2 . Let $G' \in \mathcal{G}_\tau$ and assume that $G' \preceq G_1$ and $G' \preceq G_2$ with the corresponding morphisms $h'_1$ and $h'_2$ (by Theorem 99).

First of all, observe that for each $i,j \in I_\tau$

(A1) \begin{equation}[i]_\sim=[j]_\sim \Rightarrow \ell'(i) =\ell'(j) \enspace .\end{equation}

In fact, if $[i]_\sim=[j]_\sim $ , there is a sequence $i=i_1 \sim \cdots \sim i_t = j$ such that $\ell_1(i_s) =\ell_1(i_{s+1})$ or $\ell_2(i_s) =\ell_2(i_{s+1})$ for each $s \in \{1, \ldots, t-1\}$ . If $\ell_1(i_s) =\ell_1(i_{s+1})$ , then $\ell'(i_s) = h'_1(\ell_1(i_s)) = h'_1(\ell_1(i_{s+1}))= \ell'(i_{s+1})$ . Analogously if $\ell_2(i_s) =\ell_2(i_{s+1})$ . As a result, we have $\ell'(i) =\ell'(j)$ . Note that this implies:

(A2) \begin{equation}\{j \mid j \in I_\tau \wedge \ell(j)=\ell(i) \neq \bot\}\subseteq \{j \mid j \in I_\tau \wedge \ell'(j)=\ell'(i)\} \enspace .\end{equation}

We need to build a morphism $h':G \rightarrow G'$ . For each $S \in N$ , consider a qualified identifier $i \in I_\tau$ such that $\ell(i)=[i]_\sim = S$ and we define $h'(S)=\ell'(i)$ . We only need to prove that h’ is well defined and that it is a morphism. Assume there is $j \in I_\tau$ , with $j \neq i$ and $\ell(j)=[j]_\sim = S$ . By (A1), we have $\ell'(i) =\ell'(j)$ and therefore h’ is well defined.

Now, we prove that $\ell'(i)=h'(\ell(i))$ . If $\ell(i) \in N$ , this is immediate, since $h'(\ell(i))$ is $\ell'(i')$ for some identifier i’ such that $\ell(i)=\ell(i')$ . Obviously $i'=i$ is a good choice, hence $\ell'(i)=h'(\ell(i))$ . If $\ell(i)=\bot$ , the proof is by contradiction. Assume that $\ell'(i)=n'\neq \bot$ .

Since $\ell(i)=\bot$ , we have one of the following possibilities:

  • $\tau([i]_\sim)$ is not a chain. In this case, by (A2), $ \tau([i]_\sim) \subseteq\{\tau(j)\mid j \in I_\tau \wedge \ell'(j)=n'\}$ . Therefore, $\{\tau(j)\mid j \in I_\tau \wedge \ell'(j)=n'\}$ is not a chain and this contradicts the fact that G’ is an aliasing graph.

  • $[i]_{\sim} \not \subseteq \ell_1^{-1}(N_1) \cap \ell_2^{-1}(N_2)$ . In this case, by (A2), $\{j \mid j \in I_\tau \wedge \ell'(j)=n'\} \not \subseteq \ell_1^{-1}(N_1) \cap \ell_2^{-1}(N_2)$ . This means that there exists $j \in I_\tau$ such that $\ell'(j)=n'$ and $\ell_1(j)= \bot$ or $ \ell_2(j)=\bot$ . Now, we have a contradiction, since by definition of morphism and by th:preceqnomor either $G' \not \preceq G_1$ or $G' \not \preceq G_2$ .

  • $[v.{\mathord{\mathtt{f}}}]_\sim =[i]_\sim$ and $[v]_\sim \notin N$ . We define

  • $X_0 = \{[i]_\sim \mid i \in I_\tau, \tau([i]_\sim) \text{ is a chain and } [i]_{\sim} \subseteq \ell_1^{-1}(N_1) \cap \ell_2^{-1}(N_2)\}$ ;

  • $X_{n+1}= X_n \setminus \{[v.{\mathord{\mathtt{f}}}]_\sim \in X_n \mid [v]_\sim \notin X_n\}.$

By definition and since $I_\tau$ is finite, there exists $m \geq 0$ such that $N = \bigcap _{n \leq m} X_n$ . Since $[v]_\sim \notin N$ , there exists a least $n \leq m$ such that $[v]_\sim \notin X_n$ . Now the proof is by induction on n.

  • $[v]_\sim \notin X_0$ . By previous points $\ell'(v)=\bot$ and therefore $\ell'(v.{\mathord{\mathtt{f}}})=\bot$ .

  • $[v]_\sim \notin X_{n+1}$ . Since $[v]_\sim \in X_{n}$ there exists $w \in dom(\tau)$ such that $[w.{\mathord{\mathtt{f}}}']_\sim =[v]_\sim$ and $[w]_\sim \notin X_{n}$ . By inductive hypothesis $\ell'(w)=\bot$ and therefore $\ell'(w.{\mathord{\mathtt{f}}}')=\bot$ . Then by (A1), $\ell'(v)=\ell'(w.{\mathord{\mathtt{f}}}')=\bot$ , $\ell'(i) = \ell'(v.{\mathord{\mathtt{f}}})=\bot$ and we have a contradiction.

Theorem 48. The preordered set $(\mathcal{G}_\tau, \preceq)$ has

  • a least element $\bot_\tau = \emptyset \mathbin{\star} \emptyset \mathbin{\star} \bot$ where $\bot$ is the always undefined map;

  • a greatest element $\top_\tau = I_\tau \mathbin{\star} E \mathbin{\star} {id}$ where $n_1 \xrightarrow{{\mathord{\mathtt{f}}}} n_2 \in E \iff n_1 = v \in dom(\tau) \wedge n_2= v.{\mathord{\mathtt{f}}} \in Q_\tau$ ;

  • a least upper bound $G_1 \curlyvee G_2$ for each $G_1, G_2 \in \mathcal{G}_\tau$ ;

  • a greatest lower bound $G_1 \curlywedge G_2$ for each $G_1, G_2 \in \mathcal{G}_\tau$ .

Proof. Immediately follows by Theorems 101 and 102.

A.2.2 Projection and propagation of nullness for aliasing graphs

Lemma 103. If G is a pre-aliasing graph and $X\subseteq N$ , then $G|_X$ is a pre-aliasing graph.

Proof. Assume G is a pre-aliasing graph. In $G|_X$ , the first condition for pre-aliasing graph is trivially respected, since projection does not introduce any new edge. The second condition is also respected, since no new edges are introduced and labels for nodes in X are preserved. Therefore, $G|_X$ is a pre-aliasing graph.

Proposition 50. If $G \in \mathcal{G}_\tau$ and $X \subseteq N$ is backward closed, then $G|_X \in \mathcal{G}_\tau$ . Moreover, for each $n \in X$ , $\tau_{G|_X}(n)= \tau_G(n)$ and $\psi_{G|_X}(n) = \psi_G(n)$ .

Proof. Let $G|_X = X \mathbin{\star} E' \mathbin{\star} \ell'$ . First of all, $G|_X$ is a pre-aliasing graph by Lemma 103. Now consider $n \in X$ and the set $Y = \{ \tau(i) \mid i \in I_\tau \wedge \ell'(i)=n \}$ . Note that, for each $i \in I_\tau$ , $\ell(i) = n$ iff $\ell'(i)=n$ . This is obvious when i is a variable simply by definition of $\ell'$ . If $i=v.{\mathord{\mathtt{f}}}$ and $\ell(i)=n$ , then there is $m \in N$ such that $\ell(v)=m$ and $m \xrightarrow{{\mathord{\mathtt{f}}}} n \in E$ . Since X is backward closed, then $m \in X$ , hence $\ell'(v)=m$ , $m \xrightarrow{{\mathord{\mathtt{f}}}} n \in E'$ and $\ell'(i) = n$ . On the converse, if $\ell'(i)=n$ , then $\ell(i)=n$ follows trivially by definition of $\ell'$ .

Therefore, $Y = \{ \tau(i) \mid i \in I_\tau \wedge \ell(i)=n \}$ and it is a nonempty chain since G is an aliasing graph. Then $G|_X$ is an aliasing graph and $\tau_{G|_X}(n)= \tau_G(n)$ for each $n \in X$ . In the same way, $\psi_{G|_X}(n)= \psi_G(n)$ for each $n \in X$ .

Proposition 51. If G is a pre-aliasing graph and $X \subseteq N$ is backward closed, then $G|_X \preceq G$ .

Proof. Let $G|_X = X \mathbin{\star} E' \mathbin{\star} \ell'$ . Consider the partial map $h: N \nrightarrow X$ which is the identity on X and undefined on $N \setminus X$ . We show $h: G \to G|_X$ is a morphism.

Let i be an identifier. If i is a variable v and $\ell'(i)=\bot$ , then $\ell(i) \notin X$ , hence $h(\ell(i))=\bot = \ell'(i)$ . If $\ell'(i)=n$ , then $n \in X$ , and $h(\ell(i))=h(n)=n= \ell'(i)$ . If i is the qualified identifier $v.{\mathord{\mathtt{f}}}$ , consider the following cases:

  • $\ell(v) \notin X$ : Since X is backward closed, $\ell(i) \notin X$ . Therefore, $h(\ell(i))= \bot = \ell'(v).{\mathord{\mathtt{f}}} = \ell'(i)$ .

  • $\ell(v) \in X$ and $\ell(v.{\mathord{\mathtt{f}}}) \notin X$ : Then $\ell(v)=\ell'(v)=n \in X$ , $\ell(v.{\mathord{\mathtt{f}}}) = m \notin X$ and $n \xrightarrow{{\mathord{\mathtt{f}}}} m \in E$ . By definition of E’, there is no outgoing edge from n labeled by ${\mathord{\mathtt{f}}}$ in $G|_X$ . Hence, $h(\ell(v.{\mathord{\mathtt{f}}}))= h(m) = \bot = \ell'(v.{\mathord{\mathtt{f}}}) = \ell'(v).{\mathord{\mathtt{f}}}=n$ .

  • $\ell(v) \in X$ and $\ell(v.{\mathord{\mathtt{f}}}) \in X$ : Then $\ell(v)=\ell'(v)=n \in X$ , $\ell(v.{\mathord{\mathtt{f}}}) = m \in X$ and $n \xrightarrow{{\mathord{\mathtt{f}}}} m \in E$ . By definition of E’, $n \xrightarrow{{\mathord{\mathtt{f}}}} m \in E'$ , hence $\ell'(v.{\mathord{\mathtt{f}}})=m$ . Therefore, $h(\ell(v.{\mathord{\mathtt{f}}})) = h(m) = m = \ell'(v.{\mathord{\mathtt{f}}})$ .

A.2.3 The domain of aliasing graphs

The following propositions show that the abstraction of a concrete state is an aliasing graph and that each aliasing graph can be viewed as the abstraction of a concrete state.

Proposition 53. Given $\sigma = \phi \mathbin{\star} \mu \in \Sigma_\tau$ , $G = \alpha_a(\sigma)$ is an aliasing graph and, for each $i \in I_\tau$ , $\ell(i)=\phi(i)$ if $\phi(i) \neq{\mathord{\mathtt{null}}}$ , $\ell(i)=\bot$ otherwise.

Proof. First of all, we prove G is a pre-aliasing graph. If $l \xrightarrow{{\mathord{\mathtt{f}}}} l'$ and $l\xrightarrow{{\mathord{\mathtt{f}}}} l''$ , then $l.{\mathord{\mathtt{f}}} = l' = l''$ , hence $l'=l''$ . Moreover, there exists $v \in dom(\tau)$ s.t. $\ell(v)=l$ and $v.{\mathord{\mathtt{f}}} \in Q_\tau$ .

Now we prove $\ell(i)=\phi(i)$ for each $i \in I_\tau$ (modulo the fact that ${\mathord{\mathtt{null}}}$ corresponds to $\bot$ ). If $i \in dom(\tau)$ , the thesis follows directly by definition. Otherwise $i = v.{\mathord{\mathtt{f}}}$ . If $\phi(v)={\mathord{\mathtt{null}}}$ , we have $\phi(v.{\mathord{\mathtt{f}}})={\mathord{\mathtt{null}}}$ , $\ell(v)=\ell(v.{\mathord{\mathtt{f}}})=\bot$ . If $\phi(v)=l \neq {\mathord{\mathtt{null}}}$ , then $\phi(v.{\mathord{\mathtt{f}}})=\phi(v).{\mathord{\mathtt{f}}}=l.{\mathord{\mathtt{f}}}$ . Then $\ell(v) = l$ , $l \xrightarrow{{\mathord{\mathtt{f}}}} l.{\mathord{\mathtt{f}}} \in E$ , and $\ell(v.{\mathord{\mathtt{f}}})=l.{\mathord{\mathtt{f}}}=\phi(v.{\mathord{\mathtt{f}}})$ if and only if $\phi(v.{\mathord{\mathtt{f}}}) \neq {\mathord{\mathtt{null}}}$ .

Finally, we prove that G is an aliasing graph. Given a node l, we consider the set $\tau(\ell^{-1}(l)) = \tau(\{i \in I_\tau \mid \ell(i)=l\})=\tau(\{ i \in I_\tau \mid \phi(i)=l \})$ . By Proposition 21, we have that $\tau(i) \geq\tau(\phi(i))$ for each i such that $\phi(i) \neq {\mathord{\mathtt{null}}}$ . Therefore, $\kappa\in \tau(\ell^{-1}(l))$ implies $\kappa \geq \tau(l)$ . Since we do not allow multiple inheritance, this means $\tau(\ell^{-1}(l))$ is a chain.

Proposition 54. Given $G \in \mathcal{G}_\tau$ , there exists $\sigma \in \Sigma_\tau$ s.t. $\alpha_a(\sigma)$ and G are equivalent, that is, $\alpha_a(\sigma) \sim~G$ .

Proof. Let L be a set of locations of the same cardinality of N, and $\iota: N \rightarrow L$ be a bijective map. Consider the state $\sigma =\phi \mathbin{\star} \mu$ such that $dom(\mu) = L$ and:

  • for each $v \in dom(\tau)$ , if $\ell(v)=n$ , then $\phi(v)=\iota(n)$ , otherwise $\phi(v) = {\mathord{\mathtt{null}}}$ ;

  • for each $n \in N$ , $\mu(\iota(n)) = \kappa_n \mathbin{\star} \phi_n$ where $\kappa_n = \tau_G(n)$

  • for each $n \in N$ and ${\mathord{\mathtt{f}}} \in dom(\kappa_n)$ , if there is $n' \in N$ such that $n \xrightarrow{{\mathord{\mathtt{f}}}} n' \in E$ , then $\phi_n({\mathord{\mathtt{f}}}) = \iota(n')$ , otherwise $\phi_n({\mathord{\mathtt{f}}})={\mathord{\mathtt{null}}}$ .

It is easy to check that $\sigma \in \Sigma_{\tau}$ . Let $G' = \alpha_a(\sigma)$ and we prove that $\iota: G \rightarrow G'$ is an isomorphism. Since $\iota$ is total and injective, by Proposition 97 it is enough to prove that $\iota$ is a graph morphism. In turn, this means proving that, for each identifier $i \in I_\tau$ , $\iota(\ell(i))=\ell'(i)=\phi(i)$ when $\phi(i)\neq {\mathord{\mathtt{null}}}$ and $\iota(\ell(i))=\bot$ when $\phi(i)={\mathord{\mathtt{null}}}$ .

  • for each $v \in dom(\tau)$ , if $\ell(v)=n$ , then $\phi(v)=\iota(n)$ , hence $\iota(\ell(v))=\phi(v)$ . Otherwise, if $\ell(v)=\bot$ then $\phi(v)={\mathord{\mathtt{null}}}$ and $\iota(\ell(v))=\bot$ ;

  • for each $v.{\mathord{\mathtt{f}}} \in Q_\tau$ such that $\ell(v.{\mathord{\mathtt{f}}})=n' \neq \bot$ , then $\ell(v) = n \neq \bot$ and $n \xrightarrow{{\mathord{\mathtt{f}}}} n' \in E$ . Since both $n, n' \in N$ and $\phi(v)=\iota(n)$ , we have $\phi_n({\mathord{\mathtt{f}}})=\iota(n')$ , that is, $\phi(v.{\mathord{\mathtt{f}}})=\mu(\iota(n)).\phi({\mathord{\mathtt{f}}}) =\phi_n({\mathord{\mathtt{f}}})=\iota(n')=\iota(\ell(v.{\mathord{\mathtt{f}}}))$ ;

  • for each $v.{\mathord{\mathtt{f}}} \in Q_\tau$ such that $\ell(v.{\mathord{\mathtt{f}}})=\bot$ , either $\ell(v)=\bot$ or $\ell(v)=n \neq \bot$ . In the first case, $\phi(v)={\mathord{\mathtt{null}}}$ , hence $\phi(v.{\mathord{\mathtt{f}}})={\mathord{\mathtt{null}}}$ . Otherwise, there is no n’ such that $n \xrightarrow{{\mathord{\mathtt{f}}}} n'$ which means $\phi(v.{\mathord{\mathtt{f}}})=\phi_n({\mathord{\mathtt{f}}})={\mathord{\mathtt{null}}}$ .

Theorem 55. The preorder $\preceq$ is the same preorder induced by $\gamma_a$ , that is, given $G_1, G_2 \in \mathcal{G}_\tau$ , $G_1\preceq G_2$ iff $\gamma_a(G_1) \subseteq \gamma_a(G_2)$ .

Proof. That $G_1 \preceq G_2$ implies $\gamma_a(G_1) \subseteq \gamma_a(G_2)$ is trivial. On the converse, assume $\gamma_a(G_1) \subseteq \gamma_a(G_2)$ and consider a state $\sigma$ such that $\alpha_a(\sigma) \sim G_1$ (it exists by Proposition 54). Since $\alpha_a(\sigma) \preceq G_1$ we have $\sigma \in \gamma_a(G_1) \subseteq \gamma_a(G_2)$ , that is, $\alpha_a(\sigma) \preceq G_2$ . By $G_1 \preceq \alpha_a(\sigma)$ , we have the required result $G_1 \preceq G_2$ .

A.3 $\mathsf{ALPS}$ graphs

We begin by proving that $\preceq$ is a preorder on $\mathsf{ALPS}$ -graphs.

Proposition 57. Pre- $\mathsf{ALPS}$ graphs are preordered by the relation $\preceq$ defined as:

\begin{equation*}\begin{split}\mathbb{G}_1 \preceq \mathbb{G}_2 \iff &G_1 \preceq G_2 \text{ and } \forall i \in I_\tau. \ \ell_1(i) \in \mathit{nl}_1 \Rightarrow \ell_2(i) \in \mathit{nl}_2\text{ and }\\&\quad \forall i,j \in I_\tau. \ \{\ell_1(i), \ell_1(j)\} \in \mathit{sh}_1 \Rightarrow \{\ell_2(i), \ell_2(j)\} \in \mathit{sh}_2 \enspace .\end{split}\end{equation*}

Proof. Reflexivity is trivial. Assume now $\mathbb{G}_1 \preceq \mathbb{G}_2$ and $\mathbb{G}_2 \preceq \mathbb{G}_3$ . By definition $G_1 \preceq G_2$ and $G_2 \preceq G_3$ and since $\preceq$ is a preorder on aliasing graphs, we have that $G_1 \preceq G_3$ . Moreover, $\ell_1(i) \in \mathit{nl}_1 \Rightarrow \ell_2(i) \in \mathit{nl}_2$ , $\ell_2(i) \in \mathit{nl}_2 \Rightarrow \ell_3(i) \in \mathit{nl}_3 $ and therefore $\ell_1(i) \in \mathit{nl}_1 \Rightarrow \ell_3(i) \in \mathit{nl}_3 $ . Analogously, we have $\{\ell_1(i), \ell_1(j)\} \in \mathit{sh}_1 \Rightarrow \{\ell_3(i), \ell_3(j)\} \in \mathit{sh}_3$ .

We now prove some properties of $cl^{\uparrow}$ and red, and of their interaction.

Proposition 104. (Closures of pre- $\mathsf{ALPS}$ graphs) The operators $cl^{\uparrow}$ and red are an upper and lower closure operator, respectively. Moreover, if $\mathbb{G}$ is closed w.r.t. red, then $cl^{\uparrow}(\mathbb{G})$ is closed w.r.t. red, too.

Proof. The fact that red and $cl^{\uparrow}$ are closure operators is immediate from their definition. It remains to prove that $cl^{\uparrow}$ preserves closedness w.r.t. red.

First of all, every set $\{n\}$ is G-SH-compatible with any type environment, since $\kappa \in C(\kappa)$ . Moreover, if there is a nonempty loop involving node n, then $n \xrightarrow{{\mathord{\mathtt{f}}}} m$ and there is a path from m to n. By Proposition 95, this means that $\tau_G(n) \in C(\tau_G(m))$ and by definition of $\tau_G$ , $\tau_G(m) \leq \tau_G(n).{\mathord{\mathtt{f}}}$ . Hence, $\tau_G(n) \in C(\tau_G(n).{\mathord{\mathtt{f}}})$ , $\tau_G(n) \in {NL}$ and n is G-NL-compatible.

Assume now that $\{n,m\}$ is G-SH-compatible and $n' \xrightarrow{{\mathord{\mathtt{f}}}} n$ . Then $C(\tau_G(n)) \cap C(\tau_G(m)) \neq \emptyset$ and by Proposition 95, $\tau_G(n) \in C(\tau_G(n'))$ , hence $C(\tau_G(n')) \supseteq C(\tau_G(n))$ . Therefore, $C(\tau_G(n)) \cap C(\tau_G(m)) \neq \emptyset$ implies $C(\tau_G(n')) \cap C(\tau_G(m)) \neq \emptyset$ , that is, $\{n',m\}$ is G-SH-compatible.

Now, assume $\{m_1, m_2\}$ is G-SH-compatible, $n \xrightarrow{{\mathord{\mathtt{f}}}_1}m_1$ and $n \xrightarrow{{\mathord{\mathtt{f}}}_2} m_2$ with ${\mathord{\mathtt{f}}}_1 \neq {\mathord{\mathtt{f}}}_2$ . Then, $(\tau_G(m_1), \tau_G(m_2)) \in {SH}$ and therefore $C(\tau_G(m_1)) \cap C(\tau_G(m_2))\neq\emptyset$ . Moreover, by definition of $\tau_G$ , $\tau_G(m_1)\leq \tau_G(n).{\mathord{\mathtt{f}}}_1$ , $\tau_G(m_2) \leq \tau_G(n).{\mathord{\mathtt{f}}}_2$ . Therefore, since C is downward closed, we have $C(\tau_G(n).{\mathord{\mathtt{f}}}_1) \cap C(\tau_G(n).{\mathord{\mathtt{f}}}_2) \neq \emptyset$ , i.e., $\tau_G(n) \in{NL}$ .

Finally, assume that n is G-NL-compatible. This means $\tau_G(n) \in NL$ . In particular, there exists $\kappa$ such that $\kappa \leq \tau_G(n)$ and $\kappa$ is in the least solution of the equation in Definition 33 of NL. When $n' \xrightarrow{{\mathord{\mathtt{f}}}} n$ then $\kappa \leq \tau_G(n) \leq \tau_G(n').{\mathord{\mathtt{f}}}$ , i.e., $\tau_G(n') \rightarrow \kappa$ which implies $\tau_G(n') \in {NL}$ .

A.3.1 Projections and propagation of nullness

Proposition 64. If $\mathbb{G} \in \mathsf{ALPS}_\tau$ and $X \subseteq N$ is backward closed, then $\mathbb{G}|_X \in \mathsf{ALPS}_\tau$ .

Proof. It is immediate to check that $\mathbb{G}|_X$ is closed and that $red(\mathbb{G}|_X)=\mathbb{G}|_X$ (this holds even if X is not backward closed). Moreover, since X is backward closed, then $G|_X$ is an aliasing graph and not just a pre-aliasing graph.

Proposition 65. If $\mathbb{G}$ is a pre- $\mathsf{ALPS}$ graph and $X \subseteq N$ is backward closed, then $\mathbb{G}|_X \preceq \mathbb{G}$ .

Proof. Let $\mathbb{G}' = \mathbb{G}|_X$ . We know that $G|_X \preceq G$ by Proposition 51. Now, given the identifier i, assume $\ell'(i) \in \mathit{nl}'$ . This means $\ell'(i) = n \in X$ and $n \in \mathit{nl}'$ . By definition, $\ell(i) = n$ and $n \in \mathit{nl}$ . Similarly for the sharing component.

A.3.2 Up- and down-closures of Pre- $\mathsf{ALPS}$ graphs

We introduce a new preorder on $\mathsf{ALPS}$ graphs which is apparently different from the one defined in the main part of the paper. The new definition is based on the concept of morphisms of aliasing graphs, and it is easier to use than the one in Proposition 57, although we will prove them to be equivalent.

Proposition 105. Pre- $\mathsf{ALPS}$ graphs are preordered by

\begin{equation*} \mathbb{G}_1 \mathbin{\widetilde{\preceq}} \mathbb{G}_2 \iff \exists h: G_2 \rightarrow G_1 \text{ s.t. } h^{-1} (\mathit{sh}_1) \subseteq \mathit{sh}_2 \text{ and } h^{-1} (\mathit{nl}_1) \subseteq \mathit{nl}_2 , \end{equation*}

where

\begin{gather*} h^{-1}(\mathit{nl}_1) = \{n \in N_2 \mid h(n) \in \mathit{nl}_1\} \enspace, \\ h^{-1}(\mathit{sh}_1) = \{ \{n,m\} \in \mathcal{P}_2(N_2) \mid \{h(n),h(m)\} \in \mathit{sh}_1\} \enspace . \end{gather*}

Proof. We show that $\mathbin{\widetilde{\preceq}}$ is reflexive. Given a pre- $\mathsf{ALPS}$ graph $\mathbb{G}$ , the only morphism $h: G \rightarrow G$ is the identity. Then $h^{-1}(\mathit{sh}) = \mathit{sh}$ and $h^{-1}(\mathit{nl})=\mathit{nl}$ , hence $\mathbb{G} \mathbin{\widetilde{\preceq}} \mathbb{G}$ . Assume now $\mathbb{G}_1 \mathbin{\widetilde{\preceq}} \mathbb{G}_2$ and $\mathbb{G}_2\mathbin{\widetilde{\preceq}} \mathbb{G}_3$ with $h_2: G_3 \rightarrow G_2$ and $h_1: G_2 \rightarrow G_1$ . We have that $h = h_1 \circ h_2: G_3 \rightarrow G_1$ . Moreover, $h^{-1}(\mathit{sh}_1) = h_2^{-1}(h_1^{-1}(\mathit{sh}_1)) \subseteq h_2^{-1}(\mathit{sh}_2) \subseteq \mathit{sh}_3$ . Analogously, we have $h^{-1}(\mathit{nl}_1) \subseteq \mathit{nl}_3$ .

Proposition 106. Given pre- $\mathsf{ALPS}$ graphs $\mathbb{G}_1$ and $\mathbb{G}_2$ , we have $\mathbb{G}_1 \mathbin{\widetilde{\preceq}} \mathbb{G}_2$ iff $\mathbb{G}_1 \preceq \mathbb{G}_2$ .

Proof. We prove the two implications of the equivalence separately.

  1. By Proposition 105 and Definition 41 there exists $h: G_2 \rightarrow G_1$ such that $\ell_1 = h \,\circ\, \ell_2$ , $h^{-1} (\mathit{sh}_1) \subseteq \mathit{sh}_2$ and $h^{-1} (\mathit{nl}_1) \subseteq \mathit{nl}_2$ . Applying $\ell_2^{-1}$ to both sides of set inequalities, we have $\ell_1^{-1}(\mathit{sh}_1) = \ell_2^{-1}(h^{-1}(\mathit{sh}_1)) \subseteq \ell_2^{-1}(\mathit{sh}_2)$ and $\ell_1^{-1}(\mathit{nl}_1) = \ell_2^{-1}(h^{-1}(\mathit{nl}_1)) \subseteq \ell_2^{-1}(\mathit{nl}_2)$ .

  2. By Propositions 57 and 42, there exists $h: G_2 \rightarrow G_1$ such that $\ell_1 = h \,\circ\, \ell_2$ . Note that $\ell_1^{-1}(\mathit{sh}_1) = \ell_2^{-1}(h^{-1}(\mathit{sh}_1)) \subseteq \ell_2^{-1}(\mathit{sh}_2)$ . Since $\ell_2$ is surjective, $\ell_2 \circ \ell_2^{-1} = {id}$ . Therefore, by applying $\ell_2$ to both sides, we have $h^{-1}(\mathit{sh}_1) \subseteq \mathit{sh}_2$ . Analogously for $\mathit{nl}_1$ and $\mathit{nl}_2$ .

Theorem 68. Given a pre- $\mathsf{ALPS}$ graph $\mathbb{G}= G \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl}$ , the down-closure $cl^{\downarrow}(\mathbb{G})$ can be computed as follows. Let $\mathit{sh}^* \mathbin{\star} \mathit{nl}^*$ be the greatest pair, under the component-wise ordering, such that

  1. (1). $\mathit{nl}^*= \mathit{nl} \setminus \{n \mid m \not\in \mathit{nl}^* \wedge m \xrightarrow{{\mathord{\mathtt{f}}}} n \in E\}$ ;

  2. (2). $\mathit{sh}^* = \mathit{sh} \setminus \{ \{m_1, m_2 \} \mid n \not\in \mathit{nl}^*, n \xrightarrow{{\mathord{\mathtt{f}}}_1} m_1 \in E, n \xrightarrow{{\mathord{\mathtt{f}}}_2} m_2 \in E, {\mathord{\mathtt{f}}}_1 \neq {\mathord{\mathtt{f}}}_2\} \setminus \{\{ n, m \} \mid \{ n',m \} \not\in \mathit{sh}^* \wedge n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E \}$ .

Then, we have that

\begin{equation*}cl^{\downarrow}(\mathbb{G}) = (G \mathbin{\star} \mathit{sh}^* \mathbin{\star} \mathit{nl}^*)|_{N\setminus \overrightarrow X}\end{equation*}

where $X=\{n \mid n\not\in \mathit{nl}^*$ , there is a loop in G such that $n \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} n \in E\} \cup \{n \mid \{n\} \not\in \mathit{sh}^*\}$ . Moreover, if $\mathbb{G}$ is closed w.r.t. red, then $cl^{\downarrow}(\mathbb{G})$ is an $\mathsf{ALPS}$ graph.

Proof. The following holds.

  1. (1). First of all, observe that $\mathit{nl}^*= \bigcap_{i\geq 0}\mathit{nl}_i$ , where $\mathit{nl}_0=\mathit{nl}$ and for $i\geq 0$ , $\mathit{nl}_{i+1}=\mathit{nl}_i \setminus \{n \mid m \not\in \mathit{nl}_i \wedge m \xrightarrow{{\mathord{\mathtt{f}}}}n \in E\}$ . We first show that $\mathit{nl}^*= \mathit{nl}^\unicode{x2020}$ , where $\mathit{nl}^\unicode{x2020}=N \setminus \{n \mid m \not\in \mathit{nl} \wedge m \xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} n \in E, k\geq 0\}$ . We prove the two inclusions separately.

    1. o The proof is by contradiction. Let us assume that $\mathit{nl}^\unicode{x2020}\not \subseteq \mathit{nl}^*$ . Since $\mathit{nl}^\unicode{x2020} \subseteq \mathit{nl}$ , there exists $j \geq 0$ such that $\mathit{nl}^\unicode{x2020} \not\subseteq \mathit{nl}_{j+1}$ and $\mathit{nl}^\unicode{x2020} \subseteq \mathit{nl}_{j}$ . Therefore, there exist $n \in \mathit{nl}^\unicode{x2020}$ and $j \geq 0$ such that $n \in \mathit{nl}_{j}$ and $n \not \in \mathit{nl}_{j+1}$ . By definition of $\mathit{nl}_{j+1}$ , there exists $m \not\in \mathit{nl}_{j}$ such that $m \xrightarrow{{\mathord{\mathtt{f}}}}n \in E$ . Since by hypothesis $\mathit{nl}^\unicode{x2020} \subseteq \mathit{nl}_{j}$ , we have that $m \not\in \mathit{nl}^\unicode{x2020}$ and, by definition of $\mathit{nl}^\unicode{x2020}$ , there exists $m' \xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} m \in E$ such that $m' \not\in \mathit{nl}$ . Therefore, there exists $m' \xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} m \xrightarrow{{\mathord{\mathtt{f}}}}n \in E$ such that $m' \not\in \mathit{nl}$ . By definition of $\mathit{nl}^\unicode{x2020}$ , $n \not \in \mathit{nl}^\unicode{x2020}$ and this contradicts the hypothesis.

    2. o Let $n \not\in \mathit{nl}^\unicode{x2020}$ . By definition there exists $m \not\in \mathit{nl} $ such that $ m \xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} n \in E$ . We prove by induction on k that $n \not \in \mathit{nl}^*$ .

  2. $k=0$ ). In this case $n=m \not \in \mathit{nl}$ and therefore $n \not\in \mathit{nl}^*$ .

  3. $k>0$ ). In this case $ m \xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots n'\xrightarrow{{\mathord{\mathtt{f}}}_k} n \in E$ and $m \not\in \mathit{nl}$ . By inductive hypothesis $n' \not\in \mathit{nl}^*$ and $n'\xrightarrow{{\mathord{\mathtt{f}}}_k} n \in E$ . Therefore, by definition of $\mathit{nl}^*$ , $n\not\in \mathit{nl}^*$ and then the thesis.

  4. (2). First of all, observe that by the previous result, it holds that $\mathit{sh}^* = S \setminus \{\{ n, m \} \mid \{ n',m \} \not\in \mathit{sh}^* \wedge n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E \} $ where $S= \mathit{sh} \setminus \{ \{m_1, m_2 \} \mid \begin{array}[t]{l} m \not\in \mathit{nl} \wedge m \xrightarrow{{\mathord{\mathtt{g}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{g}}}_k} n \in E, \ k\geq 0, \\ n \xrightarrow{{\mathord{\mathtt{f}}}_1} m_1 \in E,\ n \xrightarrow{{\mathord{\mathtt{f}}}_2} m_2 \in E, {\mathord{\mathtt{f}}}_1 \neq {\mathord{\mathtt{f}}}_2\} \end{array} $ and therefore $\mathit{sh}^*= \bigcap_{i\geq 0}\mathit{sh}_i$ , where $\mathit{sh}_0=S$ and for $i\geq 0$ , $\mathit{sh}_{i+1}=\mathit{sh}_i \setminus \{\{ n, m \} \mid \{ n',m \} \not\in \mathit{sh}_i \wedge n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E \}$ . We show that $\mathit{sh}^* =\mathit{sh}^\unicode{x2020}$ where $\mathit{sh}^\unicode{x2020} = \begin{array}[t]{ll} \mathit{sh} & \setminus \ \{\{ m_1, m_2 \} \mid \begin{array}[t]{l} m \not\in \mathit{nl}, m \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k}m_1 \in E, \\ m \xrightarrow{{\mathord{\mathtt{g}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{g}}}_h} m_2 \in E, \, k \leq h, \, {\mathord{\mathtt{f}}}_1 \cdots {\mathord{\mathtt{f}}}_k \neq {\mathord{\mathtt{g}}}_1 \cdots {\mathord{\mathtt{g}}}_k \} \end{array} \\ & \setminus \ \{\{ n, m \} \mid \{ n',m \} \not\in \mathit{sh} \wedge n'\xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} n \in E \} \end{array} $

We prove the two inclusions separately.

  1. o The proof is by contradiction. Let us assume that $\mathit{sh}^\unicode{x2020}\not \subseteq \mathit{sh}^*$ . Since by definition $\mathit{sh}^\unicode{x2020}\subseteq S=\mathit{sh}_0$ there exists $j \geq 0$ such that $\mathit{sh}^\unicode{x2020} \subseteq \mathit{sh}_j$ and $\mathit{sh}^\unicode{x2020} \not \subseteq \mathit{sh}_{j+1}$ . Therefore, there exist $\{ n, m \} \in \mathit{sh}^\unicode{x2020}$ and $j \geq 0$ such that $\{ n, m \} \in \mathit{sh}_{j}$ and $\{ n, m \} \not \in \mathit{sh}_{j+1}$ . By definition of $\mathit{sh}_{j+1}$ , there exists $\{ n',m \} \not\in \mathit{sh}_j$ such that $ n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E$ . Since by hypothesis $\mathit{sh}^\unicode{x2020} \subseteq \mathit{sh}_{j}$ , we have that $\{ n',m \} \not\in \mathit{sh}^\unicode{x2020}$ . By definition of $\mathit{sh}^\unicode{x2020}$ , we have the following possibilities:

    1. a. $p \not\in \mathit{nl}$ , $p \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k}n' \in E$ and $p \xrightarrow{{\mathord{\mathtt{g}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{g}}}_h} m \in E$ and ${\mathord{\mathtt{f}}}_1 \cdots {\mathord{\mathtt{f}}}_y \neq {\mathord{\mathtt{g}}}_1 \cdots {\mathord{\mathtt{g}}}_y$ , where y is the minimum between k and h. Since $ n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E$ , we have that $p \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k}n'\xrightarrow{{\mathord{\mathtt{f}}}}n \in E$ . Moreover, ${\mathord{\mathtt{f}}}_1 \cdots {\mathord{\mathtt{f}}}_x \neq {\mathord{\mathtt{g}}}_1 \cdots {\mathord{\mathtt{g}}}_x$ , where $x=y$ if $k \geq h$ and $x=y+1$ if $k < h$ . By definition $\{ n, m \} \not \in \mathit{sh}^\unicode{x2020}$ and then we have a contradiction.

    2. b. there exists $\{ p,m \} \not\in \mathit{sh}$ such that $ p\xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} n' \in E$ . In this case $ p\xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} n' \xrightarrow{{\mathord{\mathtt{f}}}} n\in E$ . Therefore, $\{ n,m \} \not\in \mathit{sh}^\unicode{x2020}$ and this contradicts the hypothesis.

Let $\{ n,m \} \not\in \mathit{sh}^\unicode{x2020}$ . By definition we have the following possibilities:

  1. a. $\{ n,m \} \not\in \mathit{sh}.$ In this case $\{ n,m \} \not\in \mathit{sh}^*.$

  2. b. there exists $\{ n',m \} \not\in \mathit{sh}$ such that $n'\xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} n \in E$ . We prove by induction on k that $\{ n,m \} \not\in \mathit{sh}^*$ . In this case $n'=n$ and $\{ n,m \} \not \in \mathit{sh}$ . Therefore $\{ n,m \} \not\in \mathit{sh}^*$ . $n'\xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_{k-1}} n''\xrightarrow{{\mathord{\mathtt{f}}}_k} n \in E$ . By inductive hypothesis $\{ n'',m \} \not\in \mathit{sh}^*$ and then, by definition of $\mathit{sh}^*$ , $\{ n,m \} \not\in \mathit{sh}^*$ .

  3. c. there exists $m' \not\in \mathit{nl}$ , such that $m' \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k}m \in E$ , $m' \xrightarrow{{\mathord{\mathtt{g}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{g}}}_h} n\in E$ , $k \leq h$ ${\mathord{\mathtt{f}}}_1 \cdots {\mathord{\mathtt{f}}}_k \neq {\mathord{\mathtt{g}}}_1 \cdots {\mathord{\mathtt{g}}}_k $ . Let $i\geq 1$ be the first index such that ${\mathord{\mathtt{f}}}_i \neq {\mathord{\mathtt{g}}}_i$ . Then $m' \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_{i-1}}n_{i-1} \in E$ , $n_{i-1} \xrightarrow{{\mathord{\mathtt{f}}}_i}n_{i} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k}m \in E$ , $n_{i-1} \xrightarrow{{\mathord{\mathtt{g}}}_i}n'_{i} \cdots \xrightarrow{{\mathord{\mathtt{g}}}_h} n\in E$ and ${\mathord{\mathtt{f}}}_i \neq {\mathord{\mathtt{g}}}_i$ . By previous result $n_{i-1} \not\in \mathit{nl}^\unicode{x2020}=\mathit{nl}^*$ and therefore, by definition of $\mathit{sh}^*$ , $\{ n_{i},n'_{i} \} \not\in \mathit{sh}^*$ . Now, the proof follows by a straightforward inductive argument.

By previous results, it holds that

\begin{equation*}\begin{array}{lll}X &= &\{n \mid\begin{array}[t]{l}m \not\in \mathit{nl} \wedge m \xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} n \in E, k\geq 0\\\mbox{ and there is a loop in \textit{G} such that } n \xrightarrow{{\mathord{\mathtt{g}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{g}}}_h} n \in E\} \end{array}\\ && \cup \ \{n \in N \mid \{n\} \not\in \mathit{sh} \} \\ &=& \{ n \mid \begin{array}[t]{l} m \not\in \mathit{nl}, m \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k}n \in E, \\ m \xrightarrow{{\mathord{\mathtt{g}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{g}}}_h} n \in E, \, k \leq h, \, {\mathord{\mathtt{f}}}_1 \cdots {\mathord{\mathtt{f}}}_k \neq {\mathord{\mathtt{g}}}_1 \cdots {\mathord{\mathtt{g}}}_k \} \end{array} \\ && \{n \mid \{ n',n \} \not\in \mathit{sh} \wedge n'\xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} n \in E \}\end{array}\end{equation*}

Now, observe that since $\mathbb{G}$ is a pre- $\mathsf{ALPS}$ graph, then $G \mathbin{\star} \mathit{sh}^* \mathbin{\star} \mathit{nl}^*$ is also a pre- $\mathsf{ALPS}$ graph and by construction, $(G \mathbin{\star} \mathit{sh}^* \mathbin{\star} \mathit{nl}^*) \preceq \mathbb{G}$ . Moreover, since $N\setminus \overrightarrow X \subseteq N$ backward closed, we have that $\mathbb{G}'$ is a pre- $\mathsf{ALPS}$ graph. Then, by Proposition 65 $\mathbb{G}' \preceq (G \mathbin{\star} \mathit{sh}^* \mathbin{\star} \mathit{nl}^*) \preceq \mathbb{G}$ .

Now, we prove that $\mathbb{G}'$ is closed. We prove that all conditions in the Definition 60 are respected.

n N’ →{n}sh’ The proof is by contradiction. Let us assume that there exists $n \in N'$ such that $\{n\} \not\in \mathit{sh}'$ . Then $n \not \in \overrightarrow X$ and $\{n\} \not\in \mathit{sh}^*$ . Now, we have a contradiction, since $X \supseteq \{n \mid \{n\} \not\in \mathit{sh} ^*\}$ .

Let us assume that there is a nonempty loop in G’ involving n such that $n\not\in \mathit{nl}'$ . In this case, there is a nonempty loop in G involving n such that $n \not \in \overrightarrow X$ and $n \not\in \mathit{nl}^*$ . Now, we have a contradiction, since $X \supseteq\{n \mid n\not\in \mathit{nl}^*$ , there is a loop in G such that $n \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} n \in E\} $ .

We check the three conditions in the definition of partial closure.

$\{ n,m \} \in \mathit{sh}' \wedge n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E'\Rightarrow \{ n', m \} \in \mathit{sh}'$ ) Assume that $\{ n,m \} \in \mathit{sh}'$ and $n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E'$ . Then $n,m ,n' \not \in \overrightarrow X$ , $\{ n,m \} \in \mathit{sh}^*$ and $n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E$ . By definition of $\mathit{sh}^*$ , $\{ n', m \} \in \mathit{sh}^*$ and since $n',m\not \in \overrightarrow X$ , we have that $\{ n', m \} \in \mathit{sh}'$ .

Assume that $n \xrightarrow{{\mathord{\mathtt{f}}}_1} m_1\in E'$ , $n \xrightarrow{{\mathord{\mathtt{f}}}_2} m_2\in E'$ , ${\mathord{\mathtt{f}}}_1 \neq {\mathord{\mathtt{f}}}_2$ , $\{m_1, m_2 \} \in \mathit{sh}'$ . Then $n, m_1, m_2 \not \in \overrightarrow X$ and $n \xrightarrow{{\mathord{\mathtt{f}}}_1} m_1\in E$ , $n \xrightarrow{{\mathord{\mathtt{f}}}_2} m_2\in E$ , ${\mathord{\mathtt{f}}}_1 \neq {\mathord{\mathtt{f}}}_2$ , $\{m_1, m_2 \} \in \mathit{sh}^*$ . By definition of $\mathit{sh}^*$ , $n \in \mathit{nl}^*$ and since $n \not \in \overrightarrow X$ , we have that $n \in \mathit{nl}'$ .

$n \in \mathit{nl}' \wedge n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E'\Rightarrow n' \in \mathit{nl}'$ ) Assume that $n \in \mathit{nl}'$ and $n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E'$ . Then $n' \not \in \overrightarrow X$ , $n \in \mathit{nl}^*$ and $n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E$ . By definition of $\mathit{nl}^*$ , $n' \in \mathit{nl}^*$ and since $n' \not \in \overrightarrow X$ , we have that $n' \in \mathit{nl}'$ .

By Proposition 65, since $\mathbb{G}$ is a pre- $\mathsf{ALPS}$ graph and $N \setminus \overrightarrow X \subseteq N$ is backward closed, we have that $\mathbb{G}' \preceq \mathbb{G}$ .

Now, we have to prove that $\mathbb{G}'$ is the greatest pre- $\mathsf{ALPS}$ graph smaller than $\mathbb{G}$ and such that $\mathbb{G}' $ is closed. Let $\mathbb{G}_1$ be a pre- $\mathsf{ALPS}$ graph smaller than $\mathbb{G}$ such that $\mathbb{G}_1$ is closed. We have to prove that $\mathbb{G}_1 \preceq \mathbb{G}'$ .

Since $\mathbb{G}_1 \preceq \mathbb{G}$ , by Propositions 106 and 105, there exists $ h_1: G \rightarrow G_1$ such that $h_1^{-1} (\mathit{sh}_1) \subseteq \mathit{sh} $ and $ h_1^{-1} (\mathit{nl}_1) \subseteq \mathit{nl}$ .

Let $h_1': G' \rightarrow G_1$ such that for each $n \in N'$ $h'_1(n)=h_1(n)$ . We prove that $h_1'$ is a morphism from G’ to $G_1$ , ${h'_1}^{-1} (\mathit{sh}_1) \subseteq \mathit{sh}^\unicode{x2020} $ and ${h'_1}^{-1} (\mathit{nl}_1) \subseteq \mathit{nl}'$ . Therefore, the thesis follows by Propositions 105 and 106.

h’ 1 is a morphism from G’ to G 1. Let $i \in I_\tau$ . We have to prove that $h_1'(\ell'(i))=\ell_1(i)$ . The following holds:

  • $\ell'(i) \neq \bot$ . In this case $h'_1(\ell'(i))=h_1(\ell(i))=\ell_1(i)$ .

  • $\ell'(i) = \bot$ and $\ell_1(i) = \bot$ . In this case $h_1'(\ell'(i)) = \bot=\ell_1(i)$ and then the thesis.

  • $\ell'(i) = \bot$ and $\ell_1(i)= h_1(\ell(i))\neq \bot$ . In this case, since $\mathbb{G}_1 \preceq \mathbb{G}$ , we have that $\ell(i) \neq \bot$ and therefore $\ell(i) \in \overrightarrow X$ . Therefore there exists $j \in X$ such that $\ell'(j) = \bot$ , $\ell(j) \neq \bot$ and $\ell_1(j)= h_1(\ell(j))\neq \bot$ . By definition of X one of the following holds.

    1. $\ell(j) =n$ , there exists $m \not\in \mathit{nl}$ such that $m \xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} n \in E$ , $k\geq 0$ and there is a loop in G such that $n \xrightarrow{{\mathord{\mathtt{g}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{g}}}_h} n \in E$ . In this case, since $\mathbb{G}_1 \preceq \mathbb{G}$ , $\ell_1(j)= h_1(\ell(j))\neq \bot$ and by Lemma 96, we have that $h_1(m) \not\in \mathit{nl}_1$ , $h_1(m) \xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} h_1(n) \in E_1$ , $k\geq 0$ and there is a loop in $G_1$ such that $h_1(n) \xrightarrow{{\mathord{\mathtt{g}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{g}}}_h} h_1(n) \in E_1$ . Since by hypothesis $\mathbb{G}_1$ is closed, by Point 5 of Definition 60 and by a straightforward inductive argument, we have that $h_1(n) \not \in \mathit{nl}_1$ . Therefore, by Point 2 of Definition 60, we have a contradiction, since there is a loop in $\mathbb{G}_1$ involving $h_1(n) $ and $h_1(n) \not \in \mathit{nl}_1$ .

    2. $\ell(j) \in \{n \in N \mid \{n\} \not\in \mathit{sh} \} $ . In this case, $h_1(\{\ell(j)\}) \not \in \mathit{sh}_1$ . By Point 1 of Definition 60, $h_1(\ell(j))=\ell_1(j) \not \in N_1$ and this contradicts the hypothesis.

    3. $\ell(j) =n$ , and there exists $m \not\in \mathit{nl}$ , such that $m \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k}n \in E$ , $ m \xrightarrow{{\mathord{\mathtt{g}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{g}}}_h} n \in E$ , $k \leq h$ and ${\mathord{\mathtt{f}}}_1 \cdots {\mathord{\mathtt{f}}}_k \neq {\mathord{\mathtt{g}}}_1 \cdots {\mathord{\mathtt{g}}}_k$ . In this case, since $\mathbb{G}_1 \preceq \mathbb{G}'$ , $h_1(n)\neq \bot$ , $h_1(m) \not\in \mathit{nl}_1$ and by Lemma 96, $h_1(m) \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k}h_1(n) \in E_1$ , $h_1(m) \xrightarrow{{\mathord{\mathtt{g}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{g}}}_h} h_1(n) \in E_1$ , $k \leq h$ and ${\mathord{\mathtt{f}}}_1 \cdots {\mathord{\mathtt{f}}}_k \neq {\mathord{\mathtt{g}}}_1 \cdots {\mathord{\mathtt{g}}}_k$ . Let $i\geq 1$ be the first index such that ${\mathord{\mathtt{f}}}_i \neq {\mathord{\mathtt{g}}}_i$ . Therefore, we have that $h_1(m) \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_{i-1}}h_1(n_{i-1}) \in E_1$ , $h_1(n_{i-1}))\xrightarrow{{\mathord{\mathtt{f}}}_i}h_1(n_{i}) \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k}h_1(n)\in E_1$ , $h_1(n_{i-1} )\xrightarrow{{\mathord{\mathtt{g}}}_i}h_1(n'_{i})\cdots \xrightarrow{{\mathord{\mathtt{g}}}_h}h_1(n)\in E_1$ and ${\mathord{\mathtt{f}}}_i \neq {\mathord{\mathtt{g}}}_i$ . Since $\mathbb{G}_1$ is closed, by Point 2 of Definition 60 and by a straightforward inductive argument, we have that $h_1(n_{i-1} )\not\in \mathit{nl}_1$ . Therefore, since $\mathbb{G}_1$ is closed and by Point 4 of Definition 60, we have that $\{n_{i},n'_{i} \} \not\in \mathit{sh}_1$ . Now, since $\mathbb{G}_1$ is closed, by Point 3 of Definition 60 and by a straightforward inductive argument, $\{h_1(n) \}\not \in \mathit{sh}_1$ . By Point 1 of Definition 60 $h_1(n) =\ell_1(j)\not \in N_1$ and this contradicts the hypothesis.

    4. $\ell(j) =n$ and there exists $\{ n',n \} \not\in \mathit{sh}$ such that $ n'=n_0\xrightarrow{{\mathord{\mathtt{f}}}_1}n_1\xrightarrow{{\mathord{\mathtt{f}}}_2}\cdots n_{k-1} \xrightarrow{{\mathord{\mathtt{f}}}_k}n_k= n \in E $ . In this case, since $\mathbb{G}_1 \preceq \mathbb{G}'$ , $\{ h_1(n'),h_1(n) \} \not\in \mathit{sh}_1$ . Moreover, since $h_1(n)\neq \bot$ and by Lemma 96, $ h_1(n')= h_1(n_0)\xrightarrow{{\mathord{\mathtt{f}}}_1}h_1(n_1)\cdots h_1(n_{k-1})\xrightarrow{{\mathord{\mathtt{f}}}_k} h_1(n_k) = h_1(n) \in E_1$ . Therefore, there exists $l \in [1,n]$ such that $\{ h_1(n_{l-1}),h_1(n_l) \} \not\in \mathit{sh}_1$ and $ h_1(n_{l-1})\xrightarrow{{\mathord{\mathtt{f}}}_l} h_1(n_l) $ . Now, by Point 3 of Definition 60 $\{h_1(n_l) \} \not\in \mathit{sh}_1$ . If $l=k$ , then we have a contradiction, since by Point 1 of Definition 5, $h_1(n_k)=\ell_1(j) \not \in N_1$ . Otherwise $l<k$ and $h_1(n_l)\xrightarrow{{\mathord{\mathtt{f}}}_{l+1}}h_1(n_{l+1}) \in E_1$ . Since $\{h_1(n_l) \} \not\in \mathit{sh}_1$ , by Point 3 of Definition 60, $\{ h_1(n_{l}),h_1(n_{l+1}) \} \not\in \mathit{sh}_1$ . Now the proof follows by a straightforward inductive argument.

Assume that there exists $n \in {h'_1}^{-1} (\mathit{nl}_1)$ such that $n \not \in \mathit{nl}'$ . Since $\mathbb{G}_1 \preceq \mathbb{G}$ and by definition of $h'_1$ , we have that $n \in h_1^{-1} (\mathit{nl}_1) \subseteq N$ , $n \in N'$ and $n \not \in \mathit{nl}^\unicode{x2020}$ . By definition of $\mathit{nl}^\unicode{x2020}$ , there exists $m \not\in \mathit{nl}$ such that $m \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} n \in E$ . Then, since $\mathbb{G}_1 \preceq \mathbb{G}$ , $h_1(n)\neq \bot$ and by Lemma 96, we have that $h_1(m) \not\in \mathit{nl}_1$ and $h_1(m) \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k}h_1(n) \in E_1$ . Since $\mathbb{G}_1$ is closed and by a straightforward inductive argument we have that $h_1(n)=h'_1(n)\not \in \mathit{nl}_1$ and this contradicts the hypothesis.

Assume that there exists $\{m_1,m_2 \} \in {h'_1}^{-1} (\mathit{sh}_1)$ such that $\{m_1, m_2 \} \not \in \mathit{sh}'$ . Since $\mathbb{G}_1 \preceq \mathbb{G}$ and by definition of $h'_1$ , we have that $\{m_1,m_2 \}\in h_1^{-1} (\mathit{sh}_1)\subseteq \mathit{sh}$ , $m_1, m_2 \in N'$ and $\{m_1,m_2 \} \not \in \mathit{sh}^\unicode{x2020}$ . By definition of $\mathit{sh}^\unicode{x2020}$ , the following holds:

  1. (1). there exists $m \not\in \mathit{nl}$ , $m \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k}m_1 \in E$ , $ m \xrightarrow{{\mathord{\mathtt{g}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{g}}}_h} m_2 \in E$ , $k \leq h$ ${\mathord{\mathtt{f}}}_1 \cdots {\mathord{\mathtt{f}}}_k \neq {\mathord{\mathtt{g}}}_1 \cdots {\mathord{\mathtt{g}}}_k$ . Then, since $\mathbb{G}_1 \preceq \mathbb{G}$ , $h_1(m_1)\neq \bot$ $h_1(m_2)\neq \bot$ and by Lemma 96, we have that $h_1(m) \not\in \mathit{nl}_1$ and $h_1(m) \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k}h_1(m_1 ) \in E_1$ , $h_1(m) \xrightarrow{{\mathord{\mathtt{g}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{g}}}_h}h_1(m_2 ) \in E_1$ , $k \leq h$ ${\mathord{\mathtt{f}}}_1 \cdots {\mathord{\mathtt{f}}}_k \neq {\mathord{\mathtt{g}}}_1 \cdots {\mathord{\mathtt{g}}}_k$ . Let $i\geq 1$ be the first index such that ${\mathord{\mathtt{f}}}_i \neq {\mathord{\mathtt{g}}}_i$ . Therefore, we have that $h_1(m) \xrightarrow{{\mathord{\mathtt{f}}}_1} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_{i-1}}h_1(n_{i-1}) \in E_1$ , $h_1(n_{i-1})\xrightarrow{{\mathord{\mathtt{f}}}_i}h_1(n_{i}) \cdots \xrightarrow{{\mathord{\mathtt{f}}}_k}h_1(m_1)\in E_1$ , $h_1(n_{i-1} )\xrightarrow{{\mathord{\mathtt{g}}}_i}h_1(n'_{i})\cdots \xrightarrow{{\mathord{\mathtt{g}}}_h}h_1(m_2)\in E_1$ and ${\mathord{\mathtt{f}}}_i \neq {\mathord{\mathtt{g}}}_i$ . Analogously to the previous case $h_1(n_{i-1} )\not\in \mathit{nl}_1$ . Therefore, since $\mathbb{G}_1$ is closed and by Point 4 of Definition 60, we have that $\{h_1(n_{i}),h_1(n'_{i}) \} \not\in \mathit{sh}_1$ . Now, since $\mathbb{G}_1$ is closed, by Point 3 of Definition 60 and by a straightforward inductive argument, we have that $\{h_1(m_1),h_1(m_2) \}\not \in\mathit{sh}_1$ and this contradicts the hypothesis.

  2. (2). there exists $\{ n',m_2 \} \not\in \mathit{sh}$ such that $n'\xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} m_1 \in E$ . Then, since $\mathbb{G}_1 \preceq \mathbb{G}$ , $h_1(m_1)\neq \bot$ $h_1(m_2)\neq \bot$ and by Lemma 96, we have that $\{h_1(n'),h_1(m_2) \} \not\in \mathit{sh}_1$ and $h_1(n')\xrightarrow{{\mathord{\mathtt{f}}}_1}\cdots \xrightarrow{{\mathord{\mathtt{f}}}_k} h_1(m_1) \in E_1$ . Now, since $\mathbb{G}_1$ is closed, by Point 3 of Definition 60 and by a straightforward inductive argument, we have that $\{h_1(m_1),h_1(m_2) \}\not \in\mathit{sh}_1$ and this contradicts the hypothesis.

Finally, we have to prove that if $\mathbb{G}$ is closed w.r.t. red then $cl^{\downarrow}(\mathbb{G})$ is a $\mathsf{ALPS}$ graph. By previous result, we have only to prove that $cl^{\downarrow}(\mathbb{G})$ is closed w.r.t. red. The following holds:

Sh’ is G’ -SH-compatible. Assume $\{n,m\} \in \mathit{sh}'$ . By construction, $\tau_{G'}(n)=\tau_G(n)$ , $\tau_{G'}(m)=\tau_G(m)$ and $\{n,m\} \in \mathit{sh}$ . Since by hypothesis $\mathbb{G} = G \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl}$ is a pre- $\mathsf{ALPS}$ , we have that G graph is an aliasing graph and therefore $(\tau_{G'}(n),\tau_{G'}(m)) = (\tau_{G}(n),\tau_{G}(m))\in {SH}$ .

nl′ is G′ -NL-compatible. The proof is analogous to the previous one.

A.3.3 The lattice of $\mathsf{ALPS}$ graphs

Among the clauses defining the operation $cl^{\uparrow}$ on pre-aliasing graphs, clauses 3, 4, and 5 of Definition 60 enjoy some special properties, since closure w.r.t. these clauses is preserved by counter-image of graph morphisms. This is formally stated by the following definition and lemma.

Definition 107 We say that a pre- $\mathsf{ALPS}$ graph $\mathbb{G}$ is partially closed when

  • $\{ n,m \} \in \mathit{sh} \wedge n' \xrightarrow{{\mathord{\mathtt{f}}}} n \Rightarrow \{ n', m \} \in \mathit{sh}$ ;

  • $n \xrightarrow{{\mathord{\mathtt{f}}}_1} m_1$ , $n \xrightarrow{{\mathord{\mathtt{f}}}_2} m_2$ , ${\mathord{\mathtt{f}}}_1 \neq {\mathord{\mathtt{f}}}_2$ , $\{m_1, m_2 \} \in \mathit{sh} \Rightarrow n \in \mathit{nl}$ ;

  • $n \in \mathit{nl} \wedge n' \xrightarrow{{\mathord{\mathtt{f}}}} n \Rightarrow n' \in \mathit{nl}$ .

Lemma 108. Let $G_1$ and $G_2$ be aliasing graphs, with $h: G_2 \rightarrow G_1$ . The following properties hold:

  • if $\{n_1,m_1\} \subseteq N_1$ is $G_1$ -SH-compatible, then $h^{-1}(\{n_1,m_1\})$ is $G_2$ -SH-compatible;

  • if $n_1 \in N_1$ is $G_1$ -NL-compatible, then $h^{-1}(n_1)$ is $G_2$ -NL-compatible;

  • if $G_1 \mathbin{\star} \mathit{sh}_1 \mathbin{\star} \mathit{nl}_1$ is partially closed, then $G_2 \mathbin{\star} h^{-1}(\mathit{sh}_1) \mathbin{\star} h^{-1}(\mathit{nl}_1)$ is partially closed, too.

Proof. For the first point, assume $\{n_1,m_1\}$ is $G_1$ -SH-compatible and $\{n_2,m_2\}\in h^{-1}(\{n_1,m_1\})$ . By Lemma 96, $\tau_{G_2}(n_2) \geq\tau_{G_1}(n_1)$ and $\tau_{G_2}(m_2) \geq \tau_{G_1}(m_1)$ . This implies that $\{n_2, m_2\}$ is $G_2$ -SH-compatible. The proof for the second point is similar.

For the third point, the following holds:

  • Assume that $\{n,m\} \in h^{-1}(\mathit{sh}_1)$ and $n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E_2$ . Then $\{ h(n), h(m) \} \in \mathit{sh}_1$ and by lem:aliasingmor, $h(n') \xrightarrow{{\mathord{\mathtt{f}}}} h(n)\in E_1$ . Since $\mathit{sh}_1 \mathbin{\star} \mathit{nl}_1$ is partially closed this implies $\{ h(n'), h(m) \} \in \mathit{sh}_1$ , hence $\{ n', m \} \in h^{-1}(\mathit{sh}_1)$ .

  • Now, assume $n \xrightarrow{{\mathord{\mathtt{f}}}_1} m_1$ , $n \xrightarrow{{\mathord{\mathtt{f}}}_2} m_2 \in E_2$ , ${\mathord{\mathtt{f}}}_1 \neq {\mathord{\mathtt{f}}}_2$ and $\{m_1,m_2\} \in h^{-1}(\mathit{sh}_1)$ . Then $\{ h(m_1), h(m_2) \}\in \mathit{sh}_1$ and by lem:aliasingmor, $h(n) \xrightarrow{{\mathord{\mathtt{f}}}_1} h(m_1)$ , $h(n) \xrightarrow{{\mathord{\mathtt{f}}}_2} h(m_2) \in E_1$ . Since $\mathit{sh}_1 \mathbin{\star} \mathit{nl}_1$ is partially closed this implies $h(n) \in \mathit{nl}_1$ , hence $n \in h^{-1}(\mathit{nl}_1)$ .

  • Finally, assume $n \in h^{-1}(\mathit{nl}_1)$ and $n' \xrightarrow{{\mathord{\mathtt{f}}}} n\in E_2$ . Then $h(n) \in \mathit{nl}_1$ and by lem:aliasingmor, $h(n') \xrightarrow{{\mathord{\mathtt{f}}}} h(n) \in E_1$ . Since $\mathit{sh}_1 \mathbin{\star} \mathit{nl}_1$ is partially closed, this means $h(n') \in \mathit{nl}_1$ and $n' \in h^{-1}(\mathit{nl}_1)$ .

Lemma 109. Let $\mathbb{G}_1$ and $\mathbb{G}_2$ be $\mathsf{ALPS}$ graphs. Then $\mathbb{G}_1 \curlyvee \mathbb{G}_2$ is an $\mathsf{ALPS}$ graph.

Proof. Let $\mathbb{G} = \mathbb{G}_1 \curlyvee \mathbb{G}_2$ . The proof that G is an aliasing graph and that for $k=1,2$ , $G_k \preceq G$ follows by Theorem 101. Let $h_1: G \rightarrow G_1$ , $h_2: G \rightarrow G_2$ be the corresponding morphisms. We prove that all conditions in the definition of $\mathsf{ALPS}$ graph are respected.

sh is G -SH-compatible. If $\{n,m\} \in \mathit{sh}$ , $\exists k \in \{1,2\}$ such that $\{ h_k(n), h_k(m) \} \in \mathit{sh}_k$ . Now the proof follows by the first point of Lemma 108 and since by hypothesis $\mathbb{G}_k$ is an $\mathsf{ALPS}$ graph.

nl is G -NL-compatible. The proof is similar to the previous one by using the second point of 108 and hence it is omitted.

Let $n \in N$ . From Lemma 100 there is $k \in \{1,2\}$ such that $h_k(n) \neq \bot$ . Then $\{ h_k(n) \} \in \mathit{sh}_k$ since $\mathbb{G}_k$ is a $\mathsf{ALPS}$ graph, hence $\{ n \} \in \mathit{sh}$ .

Assume there is a loop in N such that $n \xrightarrow{{\mathord{\mathtt{f}}}_1} m_1 \xrightarrow{{\mathord{\mathtt{f}}}_2} \cdots\xrightarrow{{\mathord{\mathtt{f}}}_r} n$ . By Lemma 100, there exists $k \in \{1,2\}$ such that $h_k(n) \neq \bot$ . By proceeding backward from the last edge toward the first using Lemma 96, we have that $h_k(n) \xrightarrow{{\mathord{\mathtt{f}}}_1} h_k(m_1)\xrightarrow{{\mathord{\mathtt{f}}}_2} \cdots \xrightarrow{{\mathord{\mathtt{f}}}_r} h_k(n)$ is a loop in $G_k$ involving $h_k(n)$ . Therefore, $h_k(n) \in \mathit{nl}_k$ and $n \in \mathit{nl}$ .

By the third point of Lemma 108 and since $\mathbb{G}_1$ and $\mathbb{G}_2$ are $\mathsf{ALPS}$ graphs, we have that $G \mathbin{\star} h_k^{-1}(\mathit{sh}_k) \mathbin{\star} h_k^{-1}(\mathit{nl}_k)$ is partially closed, for $k=1,2$ . Now, the following holds:

  • Assume that $\{ n,m \} \in \mathit{sh} \wedge n' \xrightarrow{{\mathord{\mathtt{f}}}} n \in E$ . Since $\mathit{sh}= h_1^{-1}(\mathit{sh}_1) \cup h_2^{-1}(\mathit{sh}_2)$ there is $k \in \{1,2\}$ such that $\{ n,m \} \in h_k^{-1}(\mathit{sh}_k)$ . Then, since $G_k \mathbin{\star} h_k^{-1}(\mathit{sh}_k) \mathbin{\star}h_k^{-1}(\mathit{nl}_k)$ is partially closed, we have that $\{ n', m \}\in \mathit{sh}_k \subseteq \mathit{sh}$ ;

  • Assume that $n \xrightarrow{{\mathord{\mathtt{f}}}_1} m_1$ , $n \xrightarrow{{\mathord{\mathtt{f}}}_2} m_2 \in E$ , ${\mathord{\mathtt{f}}}_1 \neq {\mathord{\mathtt{f}}}_2$ , $\{m_1,m_2 \} \in \mathit{sh}$ . Since $\mathit{sh}= h_1^{-1}(\mathit{sh}_1) \cup h_2^{-1}(\mathit{sh}_2)$ there is $k \in \{1,2\}$ such that $\{ m_1,m_2 \} \in h_k^{-1}(\mathit{sh}_k)$ . Then, since $G \mathbin{\star} h_k^{-1}(\mathit{sh}_k) \mathbin{\star}h_k^{-1}(\mathit{nl}_k)$ is partially closed, we have that $n \in h_k^{-1}(\mathit{nl}_k) \subseteq \mathit{nl}$ ;

  • Assume that $n \in \mathit{nl} \wedge n' \xrightarrow{{\mathord{\mathtt{f}}}} n $ . Since by definition $\mathit{nl}= h_1^{-1}(\mathit{nl}_1) \cup h_2^{-1}(\mathit{nl}_2)$ there is $k \in \{1,2\}$ such that $n\in h_k^{-1}(\mathit{nl}_k)$ . Then, since $G \mathbin{\star} h_k^{-1}(\mathit{sh}_k) \mathbin{\star}h_k^{-1}(\mathit{nl}_k)$ is partially closed, we have that $ n' \in h_k^{-1}(\mathit{nl}_k) \subseteq \mathit{nl}$ and then the thesis.

Lemma 110. Let $\mathbb{G}_1$ and $\mathbb{G}_2$ be $\mathsf{ALPS}$ graphs. Then $\mathbb{G}_1 \curlyvee \mathbb{G}_2$ is the least upper bound of $\mathbb{G}_1$ and $\mathbb{G}_2$ .

Proof. Let $\mathbb{G} = \mathbb{G}_1 \curlyvee \mathbb{G}_2$ . By Lemma 109 we have that $\mathbb{G}_1 \curlyvee \mathbb{G}_2$ is an $\mathsf{ALPS}$ graph. The following holds:

By Theorem 101 for $k=1,2$ , $G_k \preceq G_1 \curlyvee G_2 =G $ and let $h_k: G \rightarrow G_k$ be the corresponding morphism. We have that ${h_k}^{-1}(\mathit{sh}_k) \subseteq {h_1}^{-1}(\mathit{sh}_1) \cup {h_2}^{-1}(\mathit{sh}_2)=\mathit{sh}$ and ${h_k}^{-1}(\mathit{nl}_k) \subseteq {h_1}^{-1}(\mathit{nl}_1) \cup {h_2}^{-1}(\mathit{nl}_2)=\mathit{nl}$ . Then the thesis follows by Propositions 105 and 106.

Let $\mathbb{G}'$ be an $\mathsf{ALPS}$ graph and assume that $\mathbb{G}_1\preceq \mathbb{G}'$ and $\mathbb{G}_2 \preceq \mathbb{G}'$ . Obviously $G\preceq G'$ since $G = G_1 \curlyvee G_2$ . Let $h'_1: G' \rightarrow G_1$ , $h'_2: G' \rightarrow G_2$ be morphisms of aliasing graphs, they factor through $h: G' \rightarrow G$ and $h_1: G\rightarrow G_1$ , $h_2: G \rightarrow G_2$ , that is, $h'_1 = h_1 \circ h$ and $h'_2 = h_2 \circ h$ . Since, by Propositions 105 and 106, ${h'_k}^{-1}(\mathit{sh}_k) \subseteq \mathit{sh}'$ , we have $h^{-1}(h_k^{-1}(\mathit{sh}_k))\subseteq \mathit{sh}'$ , hence $h^{-1}(\mathit{sh})= h^{-1}(h_1^{-1}(\mathit{sh}_1) \cup h_2^{-1}(\mathit{sh}_2))= h^{-1}(h_1^{-1}(\mathit{sh}_1)) \cup h^{-1}(h_2^{-1}(\mathit{sh}_2))\subseteq \mathit{sh}'$ . Similarly for the nonlinearity component. Therefore, the proof follows by Propositions 105 and 106.

Lemma 111. Let $\mathbb{G}_1$ and $\mathbb{G}_2$ be $\mathsf{ALPS}$ graphs. Then $\mathbb{G}_1 \curlywedge \mathbb{G}_2$ is the greatest lower bound of $\mathbb{G}_1$ and $\mathbb{G}_2$ .

Proof. Let $\mathbb{G} = \mathbb{G}_1 \curlywedge \mathbb{G}_2$ . By definition 72 $\mathbb{G}=cl^{\downarrow}(\mathbb{G}')$ , where

  • $G' = G_1 \curlywedge G_2$ with morphisms $h_1:G_1 \rightarrow G$ and $h_2: G_2 \rightarrow G$ ;

  • $\mathit{sh}' = \{ \{n,m\} \in \mathcal{P}_2(N) \mid \forall k \in \{1,2\}\ h_k^{-1}(\{\{n,m\}\}) \subseteq \mathit{sh}_k \}$ ;

  • $\mathit{nl}' = \{ n \in N \mid \forall k \in \{1,2\}\ h_k^{-1}(n) \subseteq\mathit{nl}_k \}$ ;

The proof that G’ is an aliasing graph and that for $k=1,2$ , $G' \preceq G_k$ follows by Theorem 102. Let $h_1: G_1 \rightarrow G'$ , $h_2: G_2 \rightarrow G'$ be the corresponding morphisms. The following holds:

By Theorem 68, we have only prove that $\mathbb{G}'$ is closed wrt red. The following holds:

sh′ is G′ -SH-compatible. Assume $\{n,m\} \in \mathit{sh}'$ . By the third point of lem:aliasingmor, for each $k \in \{1,2\}$ , there are nodes $n_k, m_k \in N_k$ s.t. $h_k(n_k)=n$ , $h_k(m_k)=m$ , $\tau_{G_k}(n_k)=\tau_{G'}(n)$ , and $\tau_{G_k}(m_k)=\tau_{G'}(m)$ . Moreover, by definition of $\mathit{sh}'$ , $\{n_k,m_k\} \in \mathit{sh}_k$ . Since $\mathbb{G}_k$ is an $\mathsf{ALPS}$ graph, we have $(\tau_{G'}(n),\tau_{G'}(m)) = (\tau_{G_k}(n_k),\tau_{G_k}(m_k))\in {SH}$ and then the thesis.

nl′ is G′ -NL-compatible. Assume $n \in \mathit{nl}'$ . By the third point of Lemma 96, for each $k \in \{1,2\}$ , there exists $n_k \in N_k$ s.t. $h(n_k)=n$ , $\tau_{G_k}(n_k)=\tau_{G'}(n)$ and by definition of $\mathit{nl}'$ , $n_k \in\mathit{nl}_k$ . Since $\mathbb{G}_k$ is an $\mathsf{ALPS}$ graph, $\tau_{G'}(n) = \tau_{G_k}(n_k)\in {NL}$ .

By definition $\mathbb{G}\preceq \mathbb{G}'$ . Therefore, it is sufficient to prove that $\mathbb{G}'$ is a lower bound of $\mathbb{G}_1$ and $\mathbb{G}_2$ . By Theorem 102 for $k=1,2$ , $G' = G_1 \curlywedge G_2 \preceq G_k$ . If $\{n,m\} \in \mathit{sh}'$ , then $h_k^{-1}(\{n,m\}) \subseteq \mathit{sh}_k$ by definition and therefore $h_k^{-1}(\mathit{sh}') \subseteq \mathit{sh}_k$ . Analogously, if $n \in \mathit{nl}'$ , then $h_k^{-1}(n) \subseteq \mathit{nl}_k$ and then $h_k^{-1}(\mathit{nl}') \subseteq \mathit{nl}_k$ . Hence, for $k=1,2$ , by Propositions 105 and 106, $\mathbb{G}' \preceq \mathbb{G}_k$ .

Let $\mathbb{G}^*$ be an $\mathsf{ALPS}$ graph smaller than $\mathbb{G}_1$ and $\mathbb{G}_2$ , with corresponding morphisms $h^*_1$ and $h^*_2$ , and prove that $\mathbb{G}^* \preceq \mathbb{G}'$ . By Proposition 106, we have to prove the following facts.

Obviously $G^* \preceq G_1 \curlywedge G_2=G'$ and therefore there is $h^*: G' \rightarrow G^*$ s.t. $h^*_k = h^* \circ h_k$ .

Let $\{n, m \} \in {h^*}^{-1}(\mathit{sh}^*)$ . Since for $k=1,2$ , $\mathbb{G}^* \preceq \mathbb{G}_k$ , by Propositions 105 and 106, ${h^*_k}^{-1}(\mathit{sh}^*) \subseteq \mathit{sh}_k$ . Moreover ${h^*_k}^{-1} = h_k^{-1} \circ {h^*}^{-1}$ and then

\begin{equation*}{h_k}^{-1}(\{n, m\}) \subseteq h_k^{-1}({h^*}^{-1}(\mathit{sh}^*))= {h^*_k}^{-1}(\mathit{sh}^*)\subseteq \mathit{sh}_k .\end{equation*}

By Definition 72 $\mathit{sh}'= \{ \{n',m'\} \in\mathcal{P}_2(N) \mid \forall k \in \{1,2\}. h_k^{-1}(\{n',m'\}) \subseteq \mathit{sh}_k \}$ . Therefore, $\{n, m \} \in \mathit{sh}'$ and then the thesis.

The proof is similar to the one for the previous point.

Therefore, we have that $\mathbb{G}^* \preceq \mathbb{G}'$ . Moreover since $\mathbb{G}^*$ is closed and $\mathbb{G}$ is the greatest closed pre- $\mathsf{ALPS}$ graph smaller than $\mathbb{G}'$ , we have that $\mathbb{G}^* \preceq \mathbb{G}$ .

Theorem 74. The preordered set of $\mathsf{ALPS}$ graphs has

  • a least element $\bot_\tau \mathbin{\star} \emptyset \mathbin{\star} \emptyset$ ;

  • a greatest element $\top_\tau \,\mathbin{\star} \,\mathit{sh} \,\mathbin{\star} \, \mathit{nl}$ , where

  • $\mathit{sh} = \{\{ n, m \} \in \mathcal{P}_2(I_\tau) \mid (\tau(n),\tau(m)) \in {SH}\}$ and

  • $\mathit{nl} = \{ n \in I_\tau \mid \tau(n) \in {NL}\}$ ;

  • a least upper bound $\mathbb{G}_1 \curlyvee \mathbb{G}_2$ for each pair $\mathbb{G}_1$ and $\mathbb{G}_2$ of $\mathsf{ALPS}$ graphs;

  • a greatest lower bound $\mathbb{G}_1 \curlywedge \mathbb{G}_2$ for each pair $\mathbb{G}_1$ and $\mathbb{G}_2$ of $\mathsf{ALPS}$ graphs.

Proof. The proof that $\bot=\bot_\tau \mathbin{\star} \emptyset \mathbin{\star} \emptyset$ and $\top= \top_\tau \,\mathbin{\star} \,\mathit{sh} \,\mathbin{\star} \, \mathit{nl}$ are least and greatest element is straightforward. Given a generic $\mathsf{ALPS}$ graph $\mathbb{G}$ , it is easy to prove that $\bot \preceq \mathbb{G}$ and $\mathbb{G} \preceq \top$ . For the latter, if $h: \top_\tau \rightarrow G$ , Lemma 108 ensures that $h^{-1}(\mathit{nl}) \subseteq \top.\mathit{nl}$ and $h^{-1}(\mathit{sh}) \subseteq \top.\mathit{sh}$ . Now, the proof follows by Lemmas 110 and 111.

A.3.4 The domain of $\mathsf{ALPS}$ graphs

The following proposition shows that the abstraction of a concrete state is an $\mathsf{ALPS}$ graph.

Proposition 112. If $\sigma \in \Sigma_\tau$ , then $\alpha(\sigma)$ is an $\mathsf{ALPS}$ graph.

Proof. We first prove that if $\sigma \in \Sigma_\tau$ then $\alpha(\sigma)$ is an $\mathsf{ALPS}$ graph. Recall that, by Definition 52, $\alpha_a(\sigma) = G$ where

  • $N =\{ l \in \mathord{\mathit{Loc}} \mid \exists i \in I_\tau \ \phi(i)=l \}$ ;

  • $n \xrightarrow{{\mathord{\mathtt{f}}}} n' \in E$ iff $n.{\mathord{\mathtt{f}}}=n' \in N$ ;

  • $\ell=\phi$

By Definition 62, we have to prove that

sh is G -SH-compatible. Assume $\{n,m\} \in \mathit{sh}$ . By definition of $\alpha(\sigma)$ , $n,m \in \mathord{\mathit{Loc}}$ , n,m share in $\sigma$ and there exist $i,j \in I_\tau$ such that $\phi(i)=n$ , $\phi(j)=m$ , $\tau(i)=\tau_G(n)$ , $\tau(j)=\tau_G(m)$ . Then by Definition 22, i and j share in $\sigma$ and by Definition 32, $C(\tau(i))\cap C(\tau(j)) \neq \emptyset$ . Therefore, by previous results, $C(\tau_G(n))\cap C(\tau_G(m)) \neq \emptyset$ and hence $(n,m) \in {SH}$ .

nl is G -NL-compatible. The proof is analogous to the previous one by using Proposition 34 and hence it is omitted.

Straightforward by observing that, by definition of G, if $n \in N$ there exists $i \in I_\tau$ s.t. $\phi(i)=n$ . Therefore, $n\in \mathord{\mathit{Loc}}$ , n shares with itself in $\sigma$ and, by Definition 75, $\{n\} \in \mathit{sh}$ .

If there is a nonempty loop in G involving n , then n nl. Assume there is a loop in N such that $n \xrightarrow{{\mathord{\mathtt{f}}}_1} n_1 \xrightarrow{{\mathord{\mathtt{f}}}_2} \cdots\xrightarrow{{\mathord{\mathtt{f}}}_n} n$ . Therefore, $n=n.{\mathord{\mathtt{f}}}_1 \ldots {\mathord{\mathtt{f}}}_n $ in $\sigma$ and then by Definition 12, n is not linear in $\sigma$ . By Definition 75, $n \in \mathit{nl}$ and hence the thesis.

Assume that $\{ n,m \} \in \mathit{sh}$ and $n' \xrightarrow{{\mathord{\mathtt{f}}}} n $ . By definition of $\alpha(\sigma)$ , n and m share in $\sigma$ and then, by Definition 12, there exists $l \in dom(\mu)$ such that $n \xrightarrow{*}_\sigma l$ and $m \xrightarrow{*}_\sigma l$ . Moreover, by definition of G, $n'.{\mathord{\mathtt{f}}}=n$ . Therefore, by Definition 12, $n' \xrightarrow{*}_\sigma l$ , n’ shares with m in $\sigma$ and then, by definition of $\alpha(\sigma)$ , $\{ n', m \} \in \mathit{sh}$ .

Now, assume that $n \xrightarrow{{\mathord{\mathtt{f}}}_1} m_1$ , $n\xrightarrow{{\mathord{\mathtt{f}}}_2} m_2$ , ${\mathord{\mathtt{f}}}_1 \neq {\mathord{\mathtt{f}}}_2$ and $\{m_1,m_2 \} \in \mathit{sh}$ . By definition of G, $n.{{\mathord{\mathtt{f}}}_1}=m_1 \neq{\mathord{\mathtt{null}}}$ , $n.{{\mathord{\mathtt{f}}}_2}=m_2 \neq {\mathord{\mathtt{null}}}$ and $m_1,m_2$ share in $\sigma$ . Then since ${\mathord{\mathtt{f}}}_1 \neq {\mathord{\mathtt{f}}}_2$ , by Definition 12, n is nonlinear in $\sigma$ and therefore, by definition of $\alpha(\sigma)$ , $n \in \mathit{nl}$ .

Finally, assume that $n \in \mathit{nl}$ and $n' \xrightarrow{{\mathord{\mathtt{f}}}} n$ . By definition of $\alpha(\sigma)$ and by Definition 12, there are two sequence of fields $\bar{{\mathord{\mathtt{f}}}}_1 \neq \bar{{\mathord{\mathtt{f}}}}_2$ such that $n.\bar {\mathord{\mathtt{f}}}_1 = n.\bar{\mathord{\mathtt{f}}}_2 \neq {\mathord{\mathtt{null}}}$ . Then, since $n'.{{\mathord{\mathtt{f}}}}=n \neq {\mathord{\mathtt{null}}}$ by definition of G, we have that $n'.{\mathord{\mathtt{f}}} \cdot \bar {\mathord{\mathtt{f}}}_1 = n'.{\mathord{\mathtt{f}}} \cdot \bar{\mathord{\mathtt{f}}}_2 \neq {\mathord{\mathtt{null}}}$ , with ${\mathord{\mathtt{f}}} \cdot\bar{{\mathord{\mathtt{f}}}}_1 \neq {\mathord{\mathtt{f}}} \cdot\bar{{\mathord{\mathtt{f}}}}_2$ . Therefore, n’ is nonlinear in $\sigma$ and then, by definition of $\alpha(\sigma)$ , $n'\in \mathit{nl}$ .

Proposition 76. (Concretization of $\mathsf{ALPS}$ graphs) The concretization map induced by the abstraction map $\alpha$ satisfies the following property:

\begin{equation*}\begin{split}\gamma(\mathbb{G}) = \big\{ \sigma \in \Sigma_\tau \mid\& \sigma \in\gamma_a(G), \\& \forall i \in I_\tau.\ i \text{ nonlinear in } \sigma \Rightarrow \ell(i) \in \mathit{nl},\\& \forall i,i' \in I_\tau.\ i \text{ share with } i' \text{ in } \sigma\Rightarrow \{ \ell(i), \ell(i')\} \in \mathit{sh} \big\} \enspace .\end{split}\end{equation*}

Proof. It is a straightforward application of the definition of $\alpha$ .

Proposition 113. Let $\sigma =\phi \mathbin{\star} \mu \in \Sigma_\tau$ , $i_1,i_2 \in I_\tau$ and let $\mathbb{G} \in \mathsf{ALPS}$ , such that $\sigma \in \gamma(\mathbb{G})$ .

  • if $\phi(i_1) \neq {\mathord{\mathtt{null}}}$ , then $\tau(\phi(i_1)) \leq \tau_G(\ell(i_1))$ ,

  • if $i_1$ and $i_2$ share in $\sigma$ , then $\{\ell(i_1), \ell(i_2)\} \in \mathcal{P}_2(N)$ is G-SH-compatible and $C(\tau(i_1))\cap C(\tau_G(\ell(i_2)))\neq \emptyset$ .

  • if $i_1$ is not linear in $\sigma$ , then $\ell(i_1)\in N$ is G-NL-compatible.

Proof. Given $\mathbb{G}'= \alpha(\sigma)$ , we have $\mathbb{G}' \preceq \mathbb{G}$ . Moreover:

  • By Proposition 21, for each $j \in I_\tau$ such that $\phi(j)=\phi(i_1)$ , we have that $\tau(\phi(i_1))= \tau(\phi(j)) \leq \tau(j)$ and therefore, by Definition 69, $\tau(\phi(i_1)) \leq \tau_{G'}(\ell'(i_1))$ . Moreover, by Lemma 96, $\tau_{G'}(\ell'(i_1)) \leq \tau_{G}(\ell(i_1))$ .

  • Now, assume that $i_1$ and $i_2$ share in $\sigma$ . By Lemma 93, $C(\tau(\phi(i_1)))\cap C(\tau(\phi(i_2))) \neq \emptyset$ . By Proposition 21, we get $C(\tau(i_1))\cap C(\tau(\phi(i_2))) \neq \emptyset$ , and by the first point of this proposition, we get both $C(\tau(i_1))\cap C(\tau_G(\ell(i_2))) \neq \emptyset$ and $C(\tau_G(\ell(i_1))) \cap C(\tau_G(\ell(i_2)))$ , the latter meaning that $\{ \ell(i_1), \ell(i_2) \}$ is G-SH-compatible.

  • Finally, assume that $i_1$ is not linear in $\sigma$ . By lemma 94, $\tau(\phi(i_1)) \in {NL}$ . Then, by the first point of this proposition, we have $\tau_G(\ell(i)) \in {NL}$ , that is, $\ell(i)$ id G-NL-compatible.

A.4 An abstract semantics on $\mathsf{ALPS}$

A.4.1 Auxiliary operators

Proposition 80. For each $\mathbb{G} \in \mathsf{ALPS}_\tau$ and $V\subseteq dom(\tau)$ , $\gamma(\mathbb{G})_{\Vert V} \subseteq \gamma(\mathbb{G}_{\Vert V})$ .

Proof. Let $W=V \cup \{v.{\mathord{\mathtt{f}}} \in Q_\tau \mid v \in V\}$ and let $\phi \mathbin{\star} \mu \in \gamma(\mathbb{G})_{\Vert V}$ . By definition, there exists $\phi' \mathbin{\star} \mu \in \gamma(\mathbb{G})$ such that $\phi=\phi'|_{V}$ and $\alpha(\phi'\mathbin{\star} \mu )\preceq\mathbb{G}$ . Let $\alpha(\phi'\mathbin{\star} \mu)=G_1 \mathbin{\star} \mathit{sh}_1 \mathbin{\star} \mathit{nl}_1$ , $\alpha(\phi\mathbin{\star} \mu )=G_2 \mathbin{\star} \mathit{sh}_2 \mathbin{\star} \mathit{nl}_2$ , $\mathbb{G}=G \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl}$ and $\mathbb{G}_{\Vert V}= G'\mathbin{\star} \mathit{sh}' \mathbin{\star} \mathit{nl}'$ . Since $\alpha(\phi'\mathbin{\star} \mu )\preceq\mathbb{G}$ by Proposition 57 and Theorem 42, there exists a morphism $h: G \rightarrow G_1$ , such that $\forall i \in I_\tau. \ell_1(i) \in \mathit{nl}_1 \Rightarrow \ell(i) \in \mathit{nl}$ and $ \forall i,j \in I_\tau. \ \{\ell_1(i), \ell_1(j)\} \in \mathit{sh}_1 \Rightarrow \{\ell(i), \ell(j)\} \in \mathit{sh}.$ The following holds

( $h'=h|_{N'}$ is a morphism from G’ to $G_2$ ) To prove the statement it is sufficient to observe that, by Definition 52, for each $w \in W$ , $h'(\ell'(w))=h|_{N'}(\ell|_{V}(w))=h(\ell(w))=\ell_1(w)=\phi(w)=\phi'(w)=\ell_2(w)$ and then the thesis.

( $\forall i \in W. \ell_2(i) \in \mathit{nl}_2 \Rightarrow \ell'(i) \in \mathit{nl}'$ ) Let $i \in W$ such that $\ell_2(i) \in \mathit{nl}_2$ . By Definitions 52 and 75, $\ell_2(i)=\phi(i)=\phi'(i)$ and $\phi(i)$ is not linear in $\phi\mathbin{\star} \mu$ . Since $\phi=\phi'|_{V}$ , we have that $\phi'(i)$ is not linear in $\phi'\mathbin{\star} \mu$ and therefore $\phi(i)=\phi'(i)=\ell_1(i)\in \mathit{nl}_1$ . Then $\ell(i) \in \mathit{nl}$ and by definition of $\mathbb{G}_{\Vert V}$ , we have that $\ell'(i) =\ell(i)\in \mathit{nl}'$ and then the thesis.

( $\forall i \in W. \{\ell_2(i), \ell_2(j)\} \in \mathit{sh}_2 \Rightarrow \{\ell'(i), \ell'(j)\} \in \mathit{sh}'$ ) The proof is similar to the previous one and hence it is omitted.

By previous results $\alpha(\phi \mathbin{\star} \mu )\preceq\mathbb{G}_{\Vert V}$ . Therefore, $\phi \mathbin{\star} \mu \in \gamma(\mathbb{G}_{\Vert V})$ and then the thesis.

Lemma 114. Given $i \in I_\tau$ , we have that $\top_{|i={\mathord{\mathtt{null}}}}$ is the largest $\mathsf{ALPS}$ -graph such that $\ell(i)={\mathord{\mathtt{null}}}$ .

Proof. Let us denote by $N_\top$ the set of nodes in $\top_{|i={\mathord{\mathtt{null}}}}$ and by $\ell_\top$ its labeling function. Note that, if $i \in Q_\tau$ , then $N_\top=I_\tau \setminus \{i\}$ , otherwise i is a variable v and $N_\top = I_\tau \setminus \{v\} \setminus \{v.{\mathord{\mathtt{f}}} \mid v.{\mathord{\mathtt{f}}} \in Q_\tau\}$ . Moreover, note that $\ell_\top(i)= i$ if $i \in N_\top$ , $\bot$ otherwise.

Given an $\mathsf{ALPS}$ graph $\mathbb{G}$ such that $\ell(i)={\mathord{\mathtt{null}}}$ , consider the map $h: N_\top \nrightarrow N$ such that $h(j) = \ell(j)$ for each $j \in N_\top$ . This is a morphism between aliasing graph, since for each identifier j:

  • If $j \notin N_\top$ , then $h(\ell_\top(j))=h(\bot)=\bot$ . Moreover, j is either i or an identifier $i.{\mathord{\mathtt{f}}}$ . In both cases, $\ell(j)=\bot$ .

  • If $j \in N_\top$ , then $h(\ell_\top(j))=h(j)=\ell(j)$ .

As a consequence, we also have that $\ell(j)\neq\bot$ implies $\ell_\top(j)\neq\bot$ . By definition of the sharing and nonlinearity components of $\top$ , it is immediate to check that $\mathbb{G} \preceq \top_{|i={\mathord{\mathtt{null}}}}$ .

Proposition 82. For each $\mathbb{G} \in \mathsf{ALPS}_\tau$ and $i \in I_\tau$ , $\mathbb{G}_{|i={\mathord{\mathtt{null}}}} = \mathbb{G} \curlywedge \top_{|i={\mathord{\mathtt{null}}}}$ .

Proof. We prove the two implications of the equality separately.

By Proposition 65 we know that $\mathbb{G}_{|i={\mathord{\mathtt{null}}}} \preceq \mathbb{G}$ , while from Lemma 114 we have that $\mathbb{G}_{|i={\mathord{\mathtt{null}}}} \preceq \top_{|i={\mathord{\mathtt{null}}}})$ . The result follows since $\curlywedge$ is the greatest lower bound.

The following facts hold.

Let $\mathbb{G}_1=\mathbb{G} \curlywedge \top_{|i={\mathord{\mathtt{null}}}}$ and $\mathbb{G}_2=\mathbb{G}_{|i={\mathord{\mathtt{null}}}}$ . The following facts hold.

Let $j \in I_\tau$ such that $\ell_2(j)= \bot$ , we show that $\ell_1(j)=\bot$ too. By definition of $\mathbb{G}$ , if $\ell_2(j)=\bot$ then either $\ell(j)=\bot$ or $\ell(j) \in \overrightarrow{\{\ell(i)\}}$ . In the latter case, if $\ell'$ is the labeling map of $\top_{|i={\mathord{\mathtt{null}}}}$ , we have that $\ell'(j)=\bot$ . Hence, either $\ell(j)=\bot$ or $\ell'(j)=\bot$ . Due to the definition of $\curlywedge$ , in both cases we have $\ell_1(j)=\bot$

Since $\mathbb{G}_1 \preceq \mathbb{G}$ there exists $h_1: N \nrightarrow N_1$ such that for each $j \in I_\tau$ , $h_1(\ell(j))=\ell_1(j)$ . Consider $h: N_2 \nrightarrow N_1$ such that

\begin{equation*}h(\ell_2(j)) = \begin{cases}h_1 (\ell(j)) & \text{if $\ell_2(j) \neq \bot $}\\\bot & \text{otherwise}\end{cases}\end{equation*}

This is well defined since if $\ell_2(j)=\ell_2(j')\neq \bot$ , then by definition of $\mathbb{G}_{|i={\mathord{\mathtt{null}}}}$ , $\ell(j)=\ell(j')\neq \bot$ . Moreover, it is a graph morphism. Given $j \in I_\tau$ , if $\ell_2(j)\neq \bot$ , then $h(\ell_2(j))=\ell_1(j)$ by the definition above. Moreover, by the previous point, if $\ell_2(j)= \bot$ , then $\ell_1(j)= \bot$ . Hence $h(\ell_2(j))=\ell_1(j)$ again.

First of all, observe that if $\{j,j'\} \in \ell_1^{-1}(\mathit{sh}_1)$ , then by previous result and by definition of $\preceq$ we have that $j,j' \in N_2$ and $\{j,j'\} \in \ell^{-1}(\mathit{sh})$ . Now the thesis is immediate by definition of $\mathbb{G}_2$ .

The proof is analogous to the previous one.

Proposition 83. For each $\mathbb{G} \in \mathsf{ALPS}_\tau$ and $i \in I_\tau$ , $\gamma(\mathbb{G})_{|i={\mathord{\mathtt{null}}}} \subseteq \gamma(\mathbb{G}_{|i={\mathord{\mathtt{null}}}})$ .

Proof. If $\sigma \in \gamma(\mathbb{G})_{|i={\mathord{\mathtt{null}}}}$ , then $\sigma \in \gamma(\mathbb{G})$ and $\phi(i) = {\mathord{\mathtt{null}}}$ , that is, $\sigma \in \gamma(\top_{|i={\mathord{\mathtt{null}}}})$ by Lemma 114 Therefore, $\sigma \in \gamma(\mathbb{G}) \cap \gamma(\top_{|i={\mathord{\mathtt{null}}}}) \subseteq \gamma(\mathbb{G} \curlywedge \top_{|i={\mathord{\mathtt{null}}}})$ which is equal to $\gamma(\mathbb{G}_{|i={\mathord{\mathtt{null}}}})$ by Proposition 82.

Proposition 115. Let $v \in dom(\tau)$ and let $\mathbb{G}, \mathbb{G}'\in \mathsf{ALPS}$ , such that $\mathbb{G} \preceq \mathbb{G}'$ . Then $\mathbb{G} _{|v={\mathord{\mathtt{null}}}}\preceq \mathbb{G}'_{|v={\mathord{\mathtt{null}}}}$ .

Proof. The proof is immediate, by observing that by hypothesis and by Proposition 82, $\mathbb{G}_{|v={\mathord{\mathtt{null}}}} = \mathbb{G} \curlywedge \top_{|v={\mathord{\mathtt{null}}}}\preceq \mathbb{G}' \curlywedge \top_{|v={\mathord{\mathtt{null}}}}=\mathbb{G}' _{|v={\mathord{\mathtt{null}}}}$ .

Lemma 116. Given $v, w \in dom(\tau)$ , we have that $\top_{|v=w}$ is the largest $\mathsf{ALPS}$ -graph such that $\ell(v)=\ell(w)$ .

Proof. Let $\mathbb{G}$ be an $\mathsf{ALPS}$ graphs such that $\ell(v)=\ell(w)$ . If $\tau(v)$ and $\tau(w)$ do not form a chain, then $\ell(v)=\ell(w)$ implies that $\ell(v)={\mathord{\mathtt{null}}}=\ell(w)$ , and we have $\mathbb{G} \preceq \top_{|v=w} = \top_{|v={\mathord{\mathtt{null}}},w={\mathord{\mathtt{null}}}}$ by Lemma 114.

If $\tau(v)$ and $\tau(w)$ do form a chain, let us denote by $N_\top$ the set of nodes in $\top_{|v=w}$ and by $\ell_\top$ its labeling function. Assume, without loss of generality, that $\tau(v) \leq \tau(w)$ . Then $N_\top = I_\tau \setminus \{ w \} \setminus \{ w.{\mathord{\mathtt{f}}} \mid {\mathord{\mathtt{f}}} \in dom(\tau(w))\}$ and $\ell_\top(i)$ is equal to i, with the proviso that any possible occurrence of w is replaced by v. Consider the map $h: N_\top \nrightarrow N$ such that $h(j) = \ell(j)$ for each $j \in N_\top$ . This is a morphism between aliasing graphs since for each identifier j:

  • if $j = w$ , then $h(\ell_\top(w))=h(v)=\ell(v)=\ell(w)$ ;

  • if $j = w.{\mathord{\mathtt{f}}}$ , then $h(\ell_\top(w.{\mathord{\mathtt{f}}}))= h(v.{\mathord{\mathtt{f}}})= \ell(v.{\mathord{\mathtt{f}}})=\ell(v).{\mathord{\mathtt{f}}}= \ell(w).{\mathord{\mathtt{f}}} = \ell(w.{\mathord{\mathtt{f}}})$ ;

  • If $j \in N_\top$ , then $h(\ell_\top(j))=h(j)=\ell(j)$ .

By definition of the sharing and nonlinearity components of $\top$ , it is immediate to check that $\mathbb{G} \preceq \top_{|v=w}$ .

Proposition 84. For each $\mathbb{G} \in \mathsf{ALPS}_\tau$ and $v, w \in dom(\tau)$ , $\gamma(\mathbb{G})_{|v=w} \subseteq \gamma(\mathbb{G}_{|v=w})$ .

Proof. Similar to the proof of Proposition 83.

A.4.2 Abstract semantics

Proposition 117 (Correctness of add) Let $\phi\mathbin{\star}\mu\in\Sigma_\tau$ , $i \in I_\tau$ , $\tau'=\tau[{\mathord{\mathtt{res}}}\mapsto\kappa_{{\mathord{\mathtt{res}}}}]$ and let $\mathbb{G}\in \mathsf{ALPS}$ such that $\phi(i) \neq {\mathord{\mathtt{null}}}$ , $\tau(\phi(i))\leq \kappa_{{\mathord{\mathtt{res}}}}$ and $\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})$ . Then $\phi'\mathbin{\star} \mu = \phi[{\mathord{\mathtt{res}}}\mapsto\phi(i)]\mathbin{\star} \mu \in \Sigma_{\tau'}$ and $\alpha(\phi'\mathbin{\star}\mu) \preceq add(\mathbb{G},\ell(i),\kappa_{{\mathord{\mathtt{res}}}})$ .

Proof. First of all, observe that since by hypothesis $\tau(\phi(i))\leq\kappa_{{\mathord{\mathtt{res}}}}$ , $\phi'\mathbin{\star} \mu \in \Sigma_{\tau'}$ . Now, let $\mathbb{G}'=\alpha(\phi\mathbin{\star}\mu)$ , $\mathbb{G}_1=\alpha(\phi'\mathbin{\star}\mu)$ and $\mathbb{G}_2=add(\mathbb{G},\ell(i),\kappa_{{\mathord{\mathtt{res}}}})$ . Since in a Galois connection $\alpha \circ \gamma$ is reductive (Section 2), we have that $\mathbb{G}' \preceq \mathbb{G}$ and therefore there exists $h': G \rightarrow G'$ .

Let $\kappa_1 = \psi_{G'}(\ell'(i))$ , $\kappa_2 = \psi_{G}(\ell(i))$ , $F_1 = dom(\kappa_{{\mathord{\mathtt{res}}}})\setminus dom(\kappa_1)$ and let $F_2 = dom(\kappa_{{\mathord{\mathtt{res}}}})\setminus dom(\kappa_2)$ . Since $\mathbb{G}' \preceq \mathbb{G}$ , by Lemma 96, $\kappa_1 \le \kappa_2$ , $dom(\kappa_2)\subseteq dom(\kappa_1)$ and therefore $F_1 \subseteq F_2$ .

Moreover, let $W= {\ell'}^{-1}(N') \cup\{{\mathord{\mathtt{res}}}\} \cup \{{\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}} \in Q_\tau \mid {\mathord{\mathtt{f}}} \not\in F_2\}$ . Since $F_1 \subseteq F_2$ , $\mathbb{G}' \preceq \mathbb{G}$ and by definition of add, for each $w \in W$ there exists $w^* \in {\ell'}^{-1} (N')$ such that the following holds:

  • $\ell_1(w)=\ell_1(w^*)=\ell'(w^*)\neq \bot$ , $\ell_2(w)=\ell_2(w^*)=\ell(w^*)\neq \bot$ and

  • $\begin{array}[t]{ll} w\in {\ell'}^{-1}(N') \mbox{ and } w^*=w \mbox{ or }\\ w = {\mathord{\mathtt{res}}} \mbox{ and } w^*=i \mbox{ or }\\ w={\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}} \mbox{ and } w^*=i.{\mathord{\mathtt{f}}}. \end{array}$

The following holds.

  1. (1). $G_1 \preceq G_2$ ). By definition

    \begin{equation*}\begin{array}{lll} G_1= & ( & (N' \cup \{\phi(i).{\mathord{\mathtt{f}}} \mid {\mathord{\mathtt{f}}} \in F_1, \phi(i).{\mathord{\mathtt{f}}} \neq {\mathord{\mathtt{null}}}\}) \ \mathbin{\star} \\ & & (E' \cup \{\phi(i) \xrightarrow{{\mathord{\mathtt{f}}}} \phi(i).{\mathord{\mathtt{f}}} \mid {\mathord{\mathtt{f}}} \in F_1, \phi(i).{\mathord{\mathtt{f}}} \neq {\mathord{\mathtt{null}}}\}) \ \mathbin{\star} \\ & & \ell'[{\mathord{\mathtt{res}}} \mapsto\ell'(i)]\ ) \end{array} \end{equation*}
    and $G_2= N \cup \{n_{{\mathord{\mathtt{f}}}} \mid {\mathord{\mathtt{f}}} \in F_2\} \mathbin{\star} E \cup \{\ell(i) \xrightarrow{{\mathord{\mathtt{f}}}} n_{{\mathord{\mathtt{f}}}} \mid {\mathord{\mathtt{f}}} \in F_2\} \mathbin{\star} \ell[{\mathord{\mathtt{res}}} \mapsto \ell(i)]$ , where $\{n_{{\mathord{\mathtt{f}}}} \mid {\mathord{\mathtt{f}}} \in F_2 \}\cap N = \emptyset$ , namely, they are fresh nodes. Now, we can define h such that
    \begin{equation*}h(n) = \begin{cases}h'(n) & \text{if $n\in N$}\\\phi(i).{\mathord{\mathtt{f}}} & \text{if $n =n_f \in N_2 \setminus N$ and $\phi(i).{\mathord{\mathtt{f}}} \neq {\mathord{\mathtt{null}}} $}\\\bot & \text{otherwise}.\end{cases}\end{equation*}
    It is easy to check that $h: G_2 \rightarrow G_1$ is a morphism and then the thesis.
  2. (2). $\ell_1^{-1}(\mathit{sh}_1) \subseteq \ell_2^{-1}(\mathit{sh}_2)$ ) First of all, observe that, by definition of $\mathbb{G}_1$ ,

    (A3) \begin{equation} \text{ for each } n \in N', \ \tau_{G_1}(n) \leq \tau_{G'}(n). \end{equation}

Now, let $\{j,j'\} \in \ell_1^{-1}(\mathit{sh}_1)$ . We have the following possibilities.

By construction $\{j^*,{j'}^*\} \in {\ell'}^{-1}(\mathit{sh}')$ and since $\mathbb{G}' \preceq \mathbb{G}$ , we have that $\{j^*,{j'}^*\} \in {\ell}^{-1}(\mathit{sh})$ . Therefore $\{\ell(j^*),\ell({j'}^*)\} \in \mathit{sh}$ and then $\{\ell(j^*),\ell({j'}^*)\}$ is G-SH-compatible. Moreover, by hypothesis $\ell_2(j)=\ell_2(j^*)$ and $\ell_2(j')=\ell_2({j'}^*)$ . Now, observe that by Lemma 93 and the first point of Proposition 113, since $\mathbb{G}'=\alpha (\phi \mathbin{\star} \mu) \preceq \mathbb{G}$ and $j^*$ and ${j'}^*$ share in $\phi \mathbin{\star} \mu$ , we have that $C(\tau(\phi(j^*)))\cap C(\tau(\phi({j'}^*))) \neq \emptyset$ , $\tau(\phi(j^*)) \leq \tau_G(\ell(j^*))$ and $\tau(\phi({j'}^*)) \leq \tau_G(\ell({j'}^*))$ . Now, since by hypothesis $\tau(\phi(i))\leq \kappa_{{\mathord{\mathtt{res}}}}$ we have that $\{\ell_2(j),\ell_2(j')\}=\{\ell(j^*),\ell({j'}^*)\}$ is $G_2$ -SH-compatible and then the thesis follows by definition of add.

In this case $j'={\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}}$ , with ${\mathord{\mathtt{f}}} \in F_2$ . By construction $\{j^*,i\} \in {\ell'}^{-1}(\mathit{sh}')$ and since $\mathbb{G}' \preceq \mathbb{G}$ , we have that $\{j^*,i\} \in {\ell}^{-1}(\mathit{sh})$ , namely

(A4) \begin{equation} \{\ell(j^*),\ell(i)\} \in \mathit{sh}. \end{equation}

Moreover, by hypothesis $\ell_2(j)=\ell_2(j^*)=\ell(j^*)$ and $\ell_2(j')=n_{{\mathord{\mathtt{f}}}}$ , where $n= \ell(i)$ . Moreover, since ${\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}}$ and j share in $\mathbb{G}_1$ , by the second point of Proposition 113, we have that $C(\tau({\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}}))\cap C(\tau_{G_1}(\ell_1(j)))\neq \emptyset$ and therefore by (A3), $C(\kappa_{{\mathord{\mathtt{res}}}}.{\mathord{\mathtt{f}}})\cap C(\tau_{G'}(\ell'(j^*)))\neq \emptyset$ . By properties of morphisms and since $\mathbb{G}' \preceq \mathbb{G}$ , $\tau_{G'}(\ell'(j^*)) \leq \tau_{G}(\ell(j^*))$ and therefore

(A5) \begin{equation} C(\kappa_{{\mathord{\mathtt{res}}}}.{\mathord{\mathtt{f}}})\cap C(\tau_{G}(\ell(j^*)))\neq \emptyset. \end{equation}

Moreover, observe that by Lemma 93, since $\mathbb{G}'=\alpha (\phi \mathbin{\star} \mu) \preceq \mathbb{G}$ and $j^*$ and ${\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}}$ share in $\phi' \mathbin{\star} \mu$ , we have that $C(\tau(\phi(j^*)))\cap C(\tau(\phi(i).{\mathord{\mathtt{f}}})) \neq \emptyset$ . Moreover by the first point of Proposition 113, $\tau(\phi(j^*)) \leq \tau_G(\ell(j^*))$ . Then, since by hypothesis $\tau(\phi(i))\leq \kappa_{{\mathord{\mathtt{res}}}}$ and then $\tau(\phi(i).{\mathord{\mathtt{f}}})\leq \kappa_{{\mathord{\mathtt{res}}}}.{\mathord{\mathtt{f}}}$ , we have that $\{\ell_2(j),\ell_2(j')\}=\{\ell(j^*),n_{{\mathord{\mathtt{f}}}})\}$ is $G_2$ -SH-compatible. Now, we have two possibilities

  • $\ell(i) \in \mathit{nl}$ . In this case by (A4), (A5) and definition of add, $\{ \ell(j^*), n_{{\mathord{\mathtt{f}}}}\}= \{\ell_2(j), \ell_2({\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}})\}\in \mathit{sh}_2$ and then the thesis.

  • $\ell(i) \not \in \mathit{nl}$ . Since $\mathbb{G}' \preceq \mathbb{G}$ , we have that $\ell'(i) \not \in \mathit{nl}'$ and therefore, by definition of $\mathbb{G}_1$ , $\ell_1(i) \not \in \mathit{nl}_1$ . If $\not\exists {\mathord{\mathtt{f}}}'_1, \ldots, {\mathord{\mathtt{f}}}'_k.\ \ell(i) \xrightarrow{{\mathord{\mathtt{f}}}'_1} n_1 \xrightarrow{{\mathord{\mathtt{f}}}'_2} n_2\ldots n_{k-1}\xrightarrow{{\mathord{\mathtt{f}}}'_k} \ell(j^*) \in E$ then, by (A4) and (A5), $\{n_{{\mathord{\mathtt{f}}}}, \ell_2(j)\}= \{\ell_2({\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}}), \ell_2(j^*)\} \in \mathit{sh}_2$ and then the thesis. Now, assume that $\exists {\mathord{\mathtt{f}}}'_1, \ldots, {\mathord{\mathtt{f}}}'_k.\ \ell(i) \xrightarrow{{\mathord{\mathtt{f}}}'_1} n_1 \xrightarrow{{\mathord{\mathtt{f}}}'_2} n_2\ldots n_{k-1}\xrightarrow{{\mathord{\mathtt{f}}}'_k} n_k=\ell(j^*) \in E$ . By definition for each $l=1,\ldots,k-1$ , there exists $i_l$ such that $\ell(i^*_l)=n_l$ . Moreover since $\ell(i) \xrightarrow{{\mathord{\mathtt{f}}}'_1} n_1 \xrightarrow{{\mathord{\mathtt{f}}}'_2} n_2\ldots n_{k-1}\xrightarrow{{\mathord{\mathtt{f}}}'_k} n_k=\ell(j^*) \in E$ , for each $l=1,\ldots,k$ , $i^*_l \neq i.{\mathord{\mathtt{f}}}'$ with ${\mathord{\mathtt{f}}}' \in F_2$ . Then, since $F_1 \subseteq F_2$ , $\ell'(j^*) \neq {\mathord{\mathtt{null}}}$ , and by proceeding backwards from the last edge toward the first using Lemma 96, $\ell'(i) \xrightarrow{{\mathord{\mathtt{f}}}'_1} \ell'(i^*_1) \xrightarrow{{\mathord{\mathtt{f}}}'_2} \ell'(i^*_2)\ldots \ell'(i^*_{k-1}) \xrightarrow{{\mathord{\mathtt{f}}}'_k} n_k=\ell'(j^*) \in E'$ . Moreover for each $l=1,\ldots,k$ , $\ell_1(i^*_l)=\ell'(i^*_l) \in N'$ and therefore $\ell_1(i) \xrightarrow{{\mathord{\mathtt{f}}}'_1} \ell_1(i^*_1)\xrightarrow{{\mathord{\mathtt{f}}}'_2} \ell_1(i^*_2)\ldots \ell_1(i^*_{k-1}) \xrightarrow{{\mathord{\mathtt{f}}}'_k} n_k=\ell_1(j^*) \in E_1$ and therefore $\ell_1(i) \xrightarrow{{\mathord{\mathtt{f}}}'_1} \ell_1(i^*_1) \xrightarrow{{\mathord{\mathtt{f}}}'_2} \ell_1(i^*_2)\ldots \ell_1(i^*_{k-1}) \xrightarrow{{\mathord{\mathtt{f}}}'_k} \ell_1(j^*)=\ell_1(j) \in E_1$ . Moreover, since by construction $\ell_1(i)=\ell_1({\mathord{\mathtt{res}}})$ and by hypothesis $j' = {\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}} \in N_1$ , we have that $\ell_1(i) \xrightarrow{{\mathord{\mathtt{f}}}} \ell_1(j') \in E_1$ . Therefore, since by hypothesis $\{\ell_1(j),\ell_1(j')\}\in \mathit{sh}_1$ , by definition of $cl^{\uparrow}$ and by proceeding backward from the last edge toward the first, we have that $\{\ell_1(i).{\mathord{\mathtt{f}}}'_1,\ell_1(i).{\mathord{\mathtt{f}}}_2\}\in \mathit{sh}_1$ , with ${\mathord{\mathtt{f}}}'_1 \not \in F_2$ and ${\mathord{\mathtt{f}}}_2 \in F_2$ . Then, we have a contradiction, since by previous observations, $\ell_1(i) \not \in \mathit{nl}_1$ .

In this case $j={\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}}$ and $j'={\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}}'$ , with ${\mathord{\mathtt{f}}},{\mathord{\mathtt{f}}}' \in F_2$ . If ${\mathord{\mathtt{f}}}={\mathord{\mathtt{f}}}'$ , the proof is straightforward, since $n_{{\mathord{\mathtt{f}}}} \in N_2$ and by construction $\mathbb{G}_2= add(\mathbb{G},\ell(i),\kappa_{{\mathord{\mathtt{res}}}})$ is closed. Now, assume that ${\mathord{\mathtt{f}}} \neq {\mathord{\mathtt{f}}}'$ . In this case, since by hypothesis $\{j,j'\}= \{{\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}},{\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}}'\}\in \ell_1^{-1}(\mathit{sh}_1)$ we have that $C(\kappa_{{\mathord{\mathtt{res}}}}.{\mathord{\mathtt{f}}})\cap C(\kappa_{{\mathord{\mathtt{res}}}}.{\mathord{\mathtt{f}}}') \neq \emptyset$ . Moreover, since ${\mathord{\mathtt{f}}},{\mathord{\mathtt{f}}}' \in F_2$ , we have that $\ell_2(j)=n_{{\mathord{\mathtt{f}}}}$ and $\ell_2(j)=n_{{\mathord{\mathtt{f}}}'}$ , where $n=\ell(i).$ Then, by Definitions 12 and 22 and since $\phi'({\mathord{\mathtt{res}}})=\phi'(i)=\phi(i)$ , i is not linear in $\phi\mathbin{\star} \mu$ . By definition of $\alpha$ , $\ell'(i) \in \mathit{nl}'$ and since $\mathbb{G}' \preceq \mathbb{G}$ , $\ell(i) \in \mathit{nl}$ . Now, the thesis follows by definition of add.

  1. (3). $(\ell_1^{-1}(\mathit{nl}_1) \subseteq \ell_2^{-1}(\mathit{nl}_2)$ ). Let $j \in \ell_1^{-1}(\mathit{nl}_1)$ . We have two possibilities In this case $j^* \in {\ell'}^{-1} (N')$ . Since $\mathbb{G}' \preceq \mathbb{G}$ , we have that $j^* \in {\ell}^{-1}(\mathit{nl})$ . Now, observe that by Lemma 94 and by the first point of Proposition 113, since $\mathbb{G}'=\alpha (\phi \mathbin{\star} \mu) \preceq \mathbb{G}$ and $j^*$ is not linear in $\phi \mathbin{\star} \mu$ , we have that $\tau(\phi(j^*)) \in \mathit{NL}$ and $\downarrow \tau_G(\ell(j^*)) \cap {NL} \neq \emptyset$ . Now, since by hypothesis $\tau(\phi(i))\leq \kappa_{{\mathord{\mathtt{res}}}}$ , and by previous observations we have that $ \tau_{G_2}(\ell(j))$ is $G_2$ -NL-compatible and then the thesis.

In this case, there exists ${\mathord{\mathtt{f}}} \in F_2$ such that $j={\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}}$ . By definition of $\alpha$ , $i \in {\ell'}^{-1}(\mathit{nl}')$ and therefore since $\mathbb{G}' \preceq \mathbb{G}$ , $i \in \ell^{-1}(\mathit{nl})$ . Moreover, since $\tau(\phi(i))\leq \kappa_{{\mathord{\mathtt{res}}}}$ we have that $\tau(\phi(i).{\mathord{\mathtt{f}}})\leq \kappa_{{\mathord{\mathtt{res}}}}.{\mathord{\mathtt{f}}}$ and then $\tau_{G_1}(\ell_1(j)) \leq \kappa_{{\mathord{\mathtt{res}}}}.{\mathord{\mathtt{f}}}$ and since $\mathbb{G}_1$ is closed, $\downarrow (\tau_{G_1}(\ell_1(j))) \cap {NL} \neq \emptyset$ . Then $\downarrow (\kappa_{{\mathord{\mathtt{res}}}}.{\mathord{\mathtt{f}}}) \cap {NL} \neq \emptyset$ and since ${\mathord{\mathtt{f}}} \in F_2$ , $\ell_2(j)=n_{{\mathord{\mathtt{f}}}}$ . Therefore, by definition of add, $j={\mathord{\mathtt{res}}}.{\mathord{\mathtt{f}}} \in \ell_2^{-1}(\mathit{nl}_2)$ and then the thesis.

Now, the thesis follows by Proposition 106.

Theorem 87. The abstract semantics formalized in Figures 2024 is correct wrt the concrete semantics in Section 2.2.2.

Proof. According to the abstract interpretation framework Cousot and Cousot (Reference Cousot and Cousot1977), for each operation $\mathit{op}:\Sigma_\tau\to\Sigma_{\tau'}$ , $\mathbb{G}\in \mathsf{ALPS}$ , interpretation I and sharing interpretation I’ such that $I'(\kappa.{\mathord{\mathtt{m}}})$ is correct w.r.t. $I(\kappa.{\mathord{\mathtt{m}}})$ for every method $\kappa.{\mathord{\mathtt{m}}}$ , we must prove that

\begin{equation*} \underbrace{\alpha(\mathcal{E}_{\tau}^{{I}}\unicode{x0301A}{\mathit{op}}\unicode{x0301B} (\gamma(\mathbb{G})))}_{C(\mathit{op})}\preceq \underbrace{\mathcal{S\!E}_{\tau}^{I'}\unicode{x0301A}{\mathit{op}}\unicode{x0301B}(\mathbb{G})}_{A(\mathit{op})}.\end{equation*}

where $\mathcal{E}_{}^{}\unicode{x0301A}{{\_}}\unicode{x0301B}$ ( $\mathcal{C}_{}^{}\unicode{x0301A}{\_}\unicode{x0301B}$ for the commands) is given in Section 2.2.2 and $\mathcal{S\!E}_{}^{}\unicode{x0301A}{\_}\unicode{x0301B}$ ( $\mathcal{SC}_{}^{}\unicode{x0301A}{{\_}}\unicode{x0301B}$ ) in Figures 20 and 23 (Figures 21 and 22). Remember that for the expressions we have $\tau'=\tau+\mathit{type}_\tau(\mathit{op})$ and ${\mathord{\mathtt{res}}}\not\in dom(\tau)$ , while for the commands we have $\tau'=\tau$ and ${\mathord{\mathtt{res}}}\not\in dom(\tau)$ . The proof is direct for the expressions, while it is by induction for the commands (because commands are defined inductively in Section 2.2). First of all, observe that since in a Galois connection $\alpha\gamma$ is reductive (Section 2), for each $\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})$ , we have that

(A6) \begin{equation}\mathbb{G}'=\alpha (\phi\mathbin{\star}\mu) \preceq \mathbb{G}\end{equation}

and therefore by definition of $\alpha$ ,

(A7) \begin{equation}\mathbb{G}''=\alpha( \{\phi\mathbin{\star}\mu \mid \phi\mathbin{\star}\mu \in \gamma (\mathbb{G})\})\preceq \mathbb{G}.\end{equation}

${\mathord{\mathtt{null}}}\ \kappa$

We have $\tau'=\tau+\mathit{type}_\tau({\mathord{\mathtt{null}}}\ \kappa)=\tau[{\mathord{\mathtt{res}}}\mapsto\kappa]$ . Then

\begin{align*} C({\mathord{\mathtt{null}}}\ \kappa)&= \alpha(\{\phi[{\mathord{\mathtt{res}}}\mapsto{\mathord{\mathtt{null}}}]\mathbin{\star}\mu\mid \phi\mathbin{\star}\mu\in\gamma(\mathbb{G})\})\\ \text{(Definition 75)}&= \alpha(\{\phi\mathbin{\star}\mu\mid \phi\mathbin{\star}\mu\in\gamma(\mathbb{G})\})\\ \text{(A7)} &\preceq \mathbb{G}\\ & =A({\mathord{\mathtt{null}}}\ \kappa).\end{align*}

$\mathtt{new} \ \kappa$

Also in this case we have $\tau'=\tau+\mathit{type}_\tau(\mathtt{new}\ \kappa)=\tau[{\mathord{\mathtt{res}}}\mapsto\kappa]$ . The proof is similar to that above, since the new object is allocated in a fresh location l, and hence is only reachable from ${\mathord{\mathtt{res}}}$ :

\begin{align*} C(\mathtt{new}\ \kappa) &=\alpha(\{\phi[{\mathord{\mathtt{res}}} \mapsto l]\mathbin{\star}\mu[l\mapsto \mathtt{new}(\kappa)]\mid \phi\mathbin{\star}\mu\in\gamma(\mathbb{G})\})\\ \text{(by definition of $\alpha$)} &= \unicode{x0059}\{\alpha(\phi[{\mathord{\mathtt{res}}} \mapsto l]\mathbin{\star}\mu[l\mapsto \mathtt{new}(\kappa)])\mid \phi\mathbin{\star}\mu\in\gamma(\mathbb{G})\}\\ \text{(Definition 75)}&= \unicode{x0059}\{(N' \cup\{l\}\mathbin{\star} E' \mathbin{\star} \ell'[{\mathord{\mathtt{res}}} \mapsto l]) \mathbin{\star} \mathit{sh}'\cup\{\{l\}\} \mathbin{\star} \mathit{nl}' \mid \\ & \quad \quad \quad \mathbb{G}'\in \alpha \gamma(\mathbb{G}) \text{ and } l \not \in N'\}\\ \text{(A6)} &\preceq (N \cup \{n_{new}\}\mathbin{\star} E\mathbin{\star} \ell[{\mathord{\mathtt{res}}} \mapsto n_{new}]) \mathbin{\star} \mathit{sh}\cup\{\{n_{new}\}\} \mathbin{\star} \mathit{nl} \\ & \quad \quad \mbox{with } n_{new} \not \in N \\ & =A(\mathtt{new}\ \kappa).\end{align*}

For v, we have $\tau'=\tau+\mathit{type}_\tau(v)=\tau[{\mathord{\mathtt{res}}}\mapsto\tau(v)]$ . Then

\begin{align*} C(v) &=\alpha(\{\phi[{\mathord{\mathtt{res}}}\mapsto\phi(v)]\mathbin{\star}\mu \mid\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})\})\\ \text{(by definition of $\alpha$)} &= \unicode{x0059} \{\alpha(\phi[{\mathord{\mathtt{res}}}\mapsto\phi(v)]\mathbin{\star}\mu) \mid\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})\}\\ \text{Definition 75}&= \unicode{x0059} \{(N' \mathbin{\star} E' \mathbin{\star} \ell'[{\mathord{\mathtt{res}}} \mapsto \ell'(v)]) \mathbin{\star} \mathit{sh}' \mathbin{\star} \mathit{nl}' \mid \\ & \quad \quad \quad \mathbb{G}'\in \alpha \gamma(\mathbb{G})\}\\ \text{(A6)} & \preceq (N \mathbin{\star} E \mathbin{\star} \ell[{\mathord{\mathtt{res}}} \mapsto \ell(v)]) \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl} \\ & =A(v).\end{align*}

$\mathtt{(}\kappa\mathtt{)}v$

For $\mathtt{(}\kappa\mathtt{)}v$ , we have $\tau'=\tau+\mathit{type}_\kappa=\tau[{\mathord{\mathtt{res}}}\mapsto\kappa]$ . We have the following possibilities.

  • $\ell(v) = \bot$ ). By (A6) for each $\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})$ , we have that $\mathbb{G}'=\alpha(\phi\mathbin{\star}\mu) \preceq \mathbb{G}$ and therefore $\ell'(v)=\bot$ . By Definition 52, $\phi(v)= {\mathord{\mathtt{null}}}$ and then $\phi[{\mathord{\mathtt{res}}}\mapsto\phi(v)]\mathbin{\star}\mu = \phi\mathbin{\star}\mu$ . In this case

    \begin{align*} C(\mathtt{(}\kappa\mathtt{)}v) &=\alpha(\{\phi[{\mathord{\mathtt{res}}}\mapsto\phi(v)]\mathbin{\star}\mu \mid\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})\})\\ \text{(by previous observation)} &= \alpha(\{\phi\mathbin{\star}\mu \mid\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})\})\\ \text{(A7)} & \preceq \mathbb{G} \\ & =A(\mathtt{(}\kappa\mathtt{)}v).\end{align*}
  • $\ell(v) \neq \bot$ and $\{\tau_G(\ell(v)),\kappa\}$ is a not chain). By Definition 39, $\tau_G(\ell(v))=\bigwedge \{\tau({\ell}^{-1}(\ell(v)))\}$ . By (A6) for each $\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})$ , we have that $\mathbb{G}'=\alpha(\phi\mathbin{\star}\mu) \preceq \mathbb{G}$ . Now, we have two cases

$\ell'(v)=\bot$ ). In this case, $\phi(v) ={\mathord{\mathtt{null}}}$ and $\mathcal{E}_{{\tau}}^{I}\unicode{x0301A}{\mathtt{(}\kappa\mathtt{)}v}\unicode{x0301B}(\phi\mathbin{\star}\mu)= \phi\mathbin{\star}\mu$ . Therefore, by Definition 81 and Proposition 115, $\alpha(\mathcal{E}_{\tau}^{I}\unicode{x0301A}{{\mathtt{(}\kappa\mathtt{)}v}}\unicode{x0301B}(\phi\mathbin{\star}\mu))= \mathbb{G}'=\mathbb{G}'_{|v={\mathord{\mathtt{null}}}}\preceq \mathbb{G}_{|v={\mathord{\mathtt{null}}}}.$

$\ell'(v)\neq\bot$ ). In this case by Lemma 98 and Theorem 99, $\tau({\ell'}^{-1}(\ell'(v)))\cup\{\kappa\}$ is not a chain and then $\{\tau(\phi(v)), \kappa\}$ is not a chain. Therefore, $\alpha(\mathcal{E}_{\tau}^{I}\unicode{x0301A}{\mathtt{(}\kappa\mathtt{)}v}\unicode{x0301B}(\phi\mathbin{\star}\mu))= \alpha(\{\ \textit{undefined}\ \,\})=\bot $ .

By previous results

\begin{align*} C(v) &=\alpha(\{\mathcal{E}_{\tau}^{I}\unicode{x0301A}{\mathtt{(}\kappa\mathtt{)}v}\unicode{x0301B}(\phi\mathbin{\star}\mu) \mid\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})\})\\ \text{(by definition of $\alpha$)} &= \unicode{x0059} \{\alpha(\mathcal{E}_{\tau}^{I}\unicode{x0301A}{\mathtt{(}\kappa\mathtt{)}v}\unicode{x0301B}(\phi\mathbin{\star}\mu)) \mid\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})\}\\ \text{(by previous results)} &= \unicode{x0059} \{\alpha(\phi\mathbin{\star}\mu) \mid\phi\mathbin{\star}\mu\in\gamma(\mathbb{G}) \mbox{ and } \phi(v)={\mathord{\mathtt{null}}}\}\\ \text{(by Definition 75)}&= \unicode{x0059} \{\mathbb{G}' \mid \mathbb{G}'\in \alpha \gamma(\mathbb{G}) \mbox{ and } \ell'(v)=\bot\}\\ \text{(by definition)}&\preceq \unicode{x0059} \{\mathbb{G}'_{|v={\mathord{\mathtt{null}}}} \mid \mathbb{G}'\in \alpha \gamma(\mathbb{G})\}\\ \text{(by (A6) and Proposition 115)} & \preceq \mathbb{G}_{|v={\mathord{\mathtt{null}}}} \\ & =A(v).\end{align*}
  • $\ell(v) \neq \bot$ and $\{\tau_G(\ell(v)),\kappa\}$ is a chain. By previous results, since $\mathbb{G} \preceq add(\mathbb{G},\ell(v),\kappa)$ and by definition of $\alpha$ we have to prove that for each $\phi\mathbin{\star}\mu \in \gamma(\mathbb{G})$ such that $\phi(v) \neq {\mathord{\mathtt{null}}}$ and $\tau(\phi(v))\le\kappa$ we have that $\alpha(\phi'\mathbin{\star}\mu) \preceq add(\mathbb{G},\ell(v),\kappa)$ , where $\phi'= \phi[{\mathord{\mathtt{res}}}\mapsto\phi(v)]$ . The proof follows by Proposition 117.

$v.{\mathord{\mathtt{f}}}$

We have $\tau'=\tau+\mathit{type}_\tau(v.{\mathord{\mathtt{f}}})=\tau[{\mathord{\mathtt{res}}}\mapsto \tau(v.{\mathord{\mathtt{f}}})]$ . We have the following possibilities:

  • $\ell(v) = \bot$ . In this case, for each $\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})$ , we have that $\phi(v)= {\mathord{\mathtt{null}}}$ and then by definition of $\alpha$ ,

    \begin{equation*} C(v.{\mathord{\mathtt{f}}})= \alpha(\{\ \textit{undefined}\ \,\})=\bot =A(v.{\mathord{\mathtt{f}}}) . \end{equation*}
  • $\ell(v) \neq \bot$ and $\ell(v.{\mathord{\mathtt{f}}}) = \bot$ . In this case for each $\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})$ , $\phi(v).{\mathord{\mathtt{f}}}={\mathord{\mathtt{null}}}$ and therefore, $\phi[{\mathord{\mathtt{res}}}\mapsto(\phi(v).{\mathord{\mathtt{f}}})]\mathbin{\star} \mu= \phi\mathbin{\star} \mu$ . Now, the proof is the same of the first case of the previous point and hence it is omitted.

  • $\ell(v) \neq \bot$ and $\ell(v.{\mathord{\mathtt{f}}}) \neq \bot$ . Let $\phi'= \phi[{\mathord{\mathtt{res}}}\mapsto(\phi(v).{\mathord{\mathtt{f}}})]$ . Analogously to the previous point, we have to prove that for each $\phi\mathbin{\star}\mu \in \gamma(\mathbb{G})$ such that $\phi(v) \neq {\mathord{\mathtt{null}}}$ and $\phi(v.{\mathord{\mathtt{f}}}) \neq {\mathord{\mathtt{null}}}$ we have that $\alpha(\phi'\mathbin{\star}\mu) \preceq add(\mathbb{G},\ell(v.{\mathord{\mathtt{f}}}),\tau(v.{\mathord{\mathtt{f}}}))$ . The proof follows by Proposition 117, since by Proposition 21, $\tau(\phi(v.{\mathord{\mathtt{f}}})) \leq \tau(v.{\mathord{\mathtt{f}}})$ .

$v\mathtt{.m(}v_1,\ldots,v_n\mathtt{)}$

We have $\tau'=\tau+\mathit{type}_\tau(v\mathtt{.m(}v_1,\ldots,v_n\mathtt{)})=\tau[{\mathord{\mathtt{res}}}\mapsto\mathit{returnType}(\tau(v)\mathtt{.m})]$ and

\begin{equation*}\begin{array}{l} C(v\mathtt{.m(}v_1,\ldots,v_n\mathtt{)})= \alpha (\{\underbrace{\phi[{\mathord{\mathtt{res}}}\mapsto \phi^1({\mathord{\mathtt{out}}})]}_{\phi'}\mathbin{\star}\mu^1\mid \, \phi(v)\not={\mathord{\mathtt{null}}} \text{ and } \phi\mathbin{\star}\mu\in\gamma(\mathbb{G})\}).\end{array}\end{equation*}

with $\sigma^\unicode{x2020}= [{\mathord{\mathtt{this}}}\mapsto\phi(v),w_1\mapsto\phi(v_1),\ldots, w_n\mapsto\phi(v_n)]\mathbin{\star}\mu$ and $\phi^1\mathbin{\star}\mu^1=I((\phi(v).\kappa).{\mathord{\mathtt{m}}})(\sigma^\unicode{x2020})$ . As for $v\mathtt{.f}$ above, $C(v\mathtt{.m(}v_1,\ldots,v_n\mathtt{)})$ is best approximated by $\bot$ when $\phi(v)={\mathord{\mathtt{null}}}$ . Assume hence that $\phi(v)\not={\mathord{\mathtt{null}}}$ .

First of all, observe that the effective method used in the concrete side is $(\phi(v).\kappa).{\mathord{\mathtt{m}}}$ . By type correctness, we know that $\mu(\phi(v)).\kappa \leq \tau_G(\ell(v))$ . Therefore, since the abstract semantics is defined as:

\begin{equation*}\curlyvee\{match_{v.{\mathord{\mathtt{m}}}}(\mathbb{G} ,I(\kappa.{\mathord{\mathtt{m}}}) (\mathbb{G}')) \mid\kappa\le \tau_G(\ell(v))) \}\end{equation*}

we only need to prove that $\alpha(I((\phi(v).\kappa).{\mathord{\mathtt{m}}})(\gamma(\mathbb{G})) \leq \mathrm{match}_{v.{\mathord{\mathtt{m}}}}(\mathbb{G} ,I((\phi(v).\kappa).{\mathord{\mathtt{m}}}) (\mathbb{G}'))$ , and it immediately follows that $\alpha(I((\phi(v).\kappa).{\mathord{\mathtt{m}}})(\gamma(\mathbb{G}))) \leq\curlyvee\{match_{v.{\mathord{\mathtt{m}}}}(\mathbb{G} ,I(\kappa.{\mathord{\mathtt{m}}}) (\mathbb{G}')) \mid \kappa\le\tau_G(\ell(v)) \}$ .

Proving that $\alpha(I((\phi(v).\kappa).{\mathord{\mathtt{m}}})(\gamma(\mathbb{G})) \leq \mathrm{match}_{v.{\mathord{\mathtt{m}}}}(\mathbb{G} ,I((\phi(v).\kappa).{\mathord{\mathtt{m}}}) (\mathbb{G}'))$ amounts to show that $\alpha(\phi[{\mathord{\mathtt{res}}}\mapsto\phi^1({\mathord{\mathtt{out}}})]\mathbin{\star}\mu^1) \leq \mathrm{match}_{v.{\mathord{\mathtt{m}}}}(\mathbb{G} ,I((\phi(v).\kappa).{\mathord{\mathtt{m}}}) (\mathbb{G}'))$ .

First of all, observe that since $\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})$ , we have that $\alpha(\phi\mathbin{\star}\mu) \preceq \mathbb{G}$ . Then $\alpha(\sigma^\unicode{x2020}) \preceq prune( (N \mathbin{\star} E \mathbin{\star} \ell^{\mathit{input}}) \mathbin{\star} \mathit{sh}\mathbin{\star} \mathit{nl})$ and therefore $\sigma^\unicode{x2020} \in \gamma( prune( (N \mathbin{\star} E \mathbin{\star} \ell^{\mathit{input}}) \mathbin{\star} \mathit{sh} \mathbin{\star}\mathit{nl}))$ , where $\ell^{\mathit{input}} = [{\mathord{\mathtt{this}}} \mapsto \ell(v), w_1\mapsto \ell(v_1), \ldots, w_n\mapsto \ell(v_n)]$ . Then, by correctness of I’ with respect to I, $\alpha(\phi^1\mathbin{\star}\mu^1) \preceq I'((\phi(v).\kappa).{\mathord{\mathtt{m}}})(prune( (N \mathbin{\star}E \mathbin{\star} \ell^{\mathit{input}}) \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl})$ .

On the concrete side, only variables in $dom(\sigma^\unicode{x2020}.\phi)$ can be reached in the computation of $I((\phi(v).\kappa).{\mathord{\mathtt{m}}})(\sigma^\unicode{x2020})$ . Since $dom(\sigma^\unicode{x2020}.\phi) = \{this,w_1,\ldots,w_n\}$ , it follows that for any variable $x \in V_{other}$ we have that $\phi(x)=\phi'(x)$ . The same happens on the abstract side, since $\mathbb{G}_{\mid V_{other}}=\mathbb{G}_{other}$ . Moreover, for variables in $V_{comp}$ , since on the abstract side we compute $(\top_{\mid V_{comp}})_{\mid \{x=y \, \mid \, \ell^1 (x)=\ell^1 (y), \, x, \, y \in V_{comp}\}}$ , there is nothing to prove.

For any variable x in $V_{alias}$ , since $x\not\in dom(\sigma^\unicode{x2020}.\phi)$ and, by definition of $V_{alias}$ , there exists $u \in V_m$ such that $\ell(x)=\ell(u)$ , it follows that $\phi'(x)=\phi'(u)$ , which corresponds to the $\ell_{alias}$ mapping in $\mathbb{G}$ . Therefore, we only need to show that the result is correct for variables in $V_m$ , which directly follows from the induction hypothesis that $I(\kappa.{\mathord{\mathtt{m}}})(\mathbb{G}')$ is correct w.r.t. $I((\phi(v).\kappa).{\mathord{\mathtt{m}}})(\sigma^\unicode{x2020})$ . $v\mathbin{\mathtt{\unicode{x02254}}}\mathit{exp}$

Since the composition of correct operations is correct and since we have proved above that the abstract semantics for the expressions are correct with respect to their concrete counterparts, it is enough to prove that the abstract prune operation

\begin{equation*}\mathit{P}_\tau^v=\lambda \mathbb{G}\in \mathsf{ALPS}.\,prune((N \mathbin{\star} E \mathbin{\star} \ell[v \mapsto \ell({\mathord{\mathtt{res}}}), {\mathord{\mathtt{res}}}\mapsto\bot]) \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl})\end{equation*}

is correct with respect to the corresponding concrete operation

\begin{equation*}\mathit{setVar}_\tau^v=\lambda(\phi\mathbin{\star}\mu)\in\Sigma_\tau.\, \phi|_{-{\mathord{\mathtt{res}}}}[v\mapsto\phi({\mathord{\mathtt{res}}})]\mathbin{\star}\mu\end{equation*}

Let $\tau'=\tau|_{-{\mathord{\mathtt{res}}}}$ and let $\mathbb{G}\in \mathsf{ALPS}$ . We have

\begin{equation*} C(\mathit{setVar}_\tau^v)= \alpha(\{\underbrace{\phi|_{-{\mathord{\mathtt{res}}}}[v\mapsto\phi({\mathord{\mathtt{res}}})]}_{\phi'} \mathbin{\star}\mu\mid\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})\}).\end{equation*}

Then to prove the thesis, by additivity of $\alpha$ , we have to prove that for each $\phi\mathbin{\star}\mu \in \gamma(\mathbb{G})$ ,

\begin{equation*}\mathbb{G}_1 = \alpha(\phi'\mathbin{\star}\mu) \preceq prune((N \mathbin{\star} E\mathbin{\star} \ell[v \mapsto \ell({\mathord{\mathtt{res}}}), {\mathord{\mathtt{res}}}\mapsto\bot]) \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl}).\end{equation*}

Let $\mathbb{G}'= \alpha(\phi\mathbin{\star}\mu)$ . By definition

\begin{equation*}\begin{array}{lll} \mathbb{G}_1 & = & (\{n \in N' \mid \exists i \in {\ell'}^{-1}(n) . i \neq v, i \neq v.{\mathord{\mathtt{f}}} \in Q_\tau\}\mathbin{\star} \\ && \ \{n_1 \xrightarrow{{\mathord{\mathtt{f}}}} n_2 \in E' \mid n_1, n_2 \in N_1\} \mathbin{\star} \ell'[v \mapsto \ell'({\mathord{\mathtt{res}}}), {\mathord{\mathtt{res}}}\mapsto\bot]) \mathbin{\star} \\ & &\{ \{n_1, n_2\} \in \mathit{sh}' \mid n_1, n_2 \in N_1\} \mathbin{\star} \mathit{nl}' \cap N_1. \end{array} \end{equation*}

Now, the proof is straightforward by definition of $\mathit{P}_\tau^v$ and since by (A6), $\mathbb{G}'=\alpha (\phi\mathbin{\star}\mu) \preceq \mathbb{G}$ . $v.{\mathord{\mathtt{f}}}\mathbin{\mathtt{\unicode{x02254}}}\mathit{exp}$

Since the composition of correct operations is correct and since we have proved above that the abstract semantics for the expressions is correct w.r.t. their concrete counterparts, it is enough to prove that the abstract operation

\begin{align*}\mathit{P'}_\tau^{v.{\mathord{\mathtt{f}}}} & =\lambda \mathbb{G} \in \mathsf{ALPS} .\begin{cases} \bot \ \ \qquad\text{if $\ell(v)=\bot$}\\ \mathbb{G}^{*} \ \qquad \text{if $\ell(v)\neq \bot$ and $\ell({\mathord{\mathtt{res}}}) = \bot$}\\ \mathbb{G}^{**} \qquad \text{otherwise,}\end{cases}\end{align*}

is correct with respect to the corresponding concrete operation

\begin{align*} \mathit{setField}_\tau^{v.{\mathord{\mathtt{f}}}}&= \lambda(\phi\mathbin{\star}\mu)\in\Sigma_\tau.\begin{cases} \underbrace{\phi|_{-{\mathord{\mathtt{res}}}}}_{\phi'} \mathbin{\star}\underbrace{\mu[l\mapsto \mu(l)[{\mathord{\mathtt{f}}}\mapsto\phi({\mathord{\mathtt{res}}})]]}_{\mu'} & \text{if $(l=\phi(v))\not={\mathord{\mathtt{null}}}$} \\ \bot & \text{otherwise.} \end{cases}\end{align*}

where

\begin{equation*}\begin{array}{lll}\mathbb{G}^{*}&=&\textsf{prune} (N\cup N_{new} \mathbin{\star} E \setminus E_{del} \cup E_{new} \mathbin{\star} \ell \mathbin{\star} {} \mathit{sh} \cup \mathit{sh}_{new} \mathbin{\star} {} \\ & & \quad \quad \quad \mathit{nl}\cup \{n_{\ell(x)} \mid n_{\ell(x)} \in N_{new}, \ell(x.{\mathord{\mathtt{f}}}) \in \mathit{nl} \})\\\mathbb{G}^{**}&=& \textsf{prune}( N\cup N_{new} \mathbin{\star} E \setminus E_{del} \cup E'_{new} \mathbin{\star} \ell[{\mathord{\mathtt{res}}}\mapsto\bot] \mathbin{\star} {} \mathit{sh} \cup \mathit{sh}'_{new} \mathbin{\star} {} \\&& \quad \quad \quad \mathit{nl}\cup \mathit{nl}_{new} \cup \{n_{\ell(x)} \mid n_{\ell(x)} \in N_{new}, \ell(x.{\mathord{\mathtt{f}}}) \in \mathit{nl} \})\end{array}\end{equation*}

where

\begin{align*} V_{comp} &= \begin{aligned}[t] \{x \in dom(\tau) \mid {} & \ell(x)\neq \ell(v), \{\ell(x),\ell(v)\}\in \mathit{sh}, \{ \tau_{G}(\ell(x)), \tau_{G}(\ell(v) \}\\ &\text{ is a chain} \} \end{aligned}\\ N_{new} &= \begin{aligned}[t] &\{n_{\ell(x)} \mid x \in V_{comp},\ {\mathord{\mathtt{f}}} \in dom(\psi_{G}(\ell(x)), \ \ell(x.{\mathord{\mathtt{f}}})\neq \ell({\mathord{\mathtt{res}}}) \}\\ & \text{a set of new distinct nodes} \end{aligned}\\ E_{del} &= \{\ell(v) \xrightarrow{{\mathord{\mathtt{f}}}} \ell(v.{\mathord{\mathtt{f}}}) \} \cup \{\ell(x) \xrightarrow{{\mathord{\mathtt{f}}}} \ell(x.{\mathord{\mathtt{f}}}) \in E \mid x\in V_{comp}, \ \ell(x.{\mathord{\mathtt{f}}})\neq \ell({\mathord{\mathtt{res}}})\}\\ E_{new} &= \{\ell(x) \xrightarrow{{\mathord{\mathtt{f}}}} n_{\ell(x)} \mid x \in V_{comp},\ n_{\ell(x)} \in N_{new}\} \\ \mathit{sh}_{new} &= \{ \{n_{\ell(x)},n'\} \mid n_{\ell(x)} \in N_{new}, \{\ell(x.{\mathord{\mathtt{f}}}),n'\}\in \mathit{sh}\} \ \cup \\ &\qquad \qquad \{ \{n_{\ell(x)},n_{\ell(y)}\} \mid n_{\ell(x)}, n_{\ell(y)} \in N_{new}, \{\ell(x.{\mathord{\mathtt{f}}}),\ell(y.{\mathord{\mathtt{f}}})\}\in \mathit{sh}\}\\ E'_{new} &= E_{new} \cup \{\ell(v) \xrightarrow{{\mathord{\mathtt{f}}}} \ell({\mathord{\mathtt{res}}}) \} \\ \mathit{sh}'_{new} &= \{\{n,n'\} \mid \{\ell(v),n\}\in \mathit{sh}\text{ and } \{\ell({\mathord{\mathtt{res}}}),n'\} \in \mathit{sh}\}\ \cup \\ & \qquad \qquad \{\{n_{\ell(x)},n'\} \mid n_{\ell(x)} \in N_{new},\ \{\ell({\mathord{\mathtt{res}}}),n'\} \in \mathit{sh}\} \ \cup \\ &\qquad \qquad \{ \{n_{\ell(x)},n'\} \mid n_{\ell(x)} \in N_{new}, \{\ell(x.{\mathord{\mathtt{f}}}),n'\}\in \mathit{sh} \} \ \cup \\ &\qquad \qquad \{ \{n_{\ell(x)},n_{\ell(y)}\} \mid n_{\ell(x)}, n_{\ell(y)} \in N_{new}\} \\ \mathit{nl}_{new} &= \begin{cases} \{n \in N \mid \{n,\ell(v)\} \in \mathit{sh}\} \cup \{n_{\ell(x)} \mid n_{\ell(x)} \in N_{new} \}\\[1pt] \text{if $\{\ell({\mathord{\mathtt{res}}}),\ell(v)\}\in \mathit{sh}$ or $\ell({\mathord{\mathtt{res}}}) \in \mathit{nl}$}\\ \{ n \in N \mid \{n,\ell(v)\} \in \mathit{sh}, \{\ell({\mathord{\mathtt{res}}}),n\} \in \mathit{sh} \}\\[1pt] \text{otherwise} \end{cases} \end{align*}

Let $\tau'=\tau|_{-{\mathord{\mathtt{res}}}}$ and $\mathbb{G}\in \mathsf{ALPS}$ . We have to prove that

\begin{equation*}\alpha(\mathit{setField}_\tau^{v\mathtt{.f}}(\gamma(\mathbb{G}))) \preceq\mathit{P'}_\tau^{v.{\mathord{\mathtt{f}}}}(\mathbb{G}).\end{equation*}

We have the following possibilities:

  • $\ell(v)=\bot$ . In this case, for each $\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})$ , we have that $\phi(v)= {\mathord{\mathtt{null}}}$ and then by definition of $\alpha$ ,

    \begin{equation*} \alpha(\mathit{setField}_\tau^{v\mathtt{.f}}(\gamma(\mathbb{G})))= \alpha(\{\ \textit{undefined}\ \,\})=\bot =\mathit{P'}_\tau^{v.{\mathord{\mathtt{f}}}}(\mathbb{G}). \end{equation*}
  • $\ell(v)\neq \bot$ and $\ell({\mathord{\mathtt{res}}}) = \bot$ . By (A6) for each $\phi\mathbin{\star}\mu\in\gamma(\mathbb{G})$ , we have that $\mathbb{G}'=\alpha(\phi\mathbin{\star}\mu) \preceq \mathbb{G}$ and therefore $\ell'({\mathord{\mathtt{res}}})=\bot$ . By def:alpha-alps, $\phi({\mathord{\mathtt{res}}})={\mathord{\mathtt{null}}}$ and then $\phi'=\phi$ and $\phi'(v).{\mathord{\mathtt{f}}}={\mathord{\mathtt{null}}}$ . Let $\mathbb{G}_1= \alpha(\phi' \mathbin{\star} \mu')$ . By definition of $\alpha$ ,

    \begin{equation*}\begin{array}{lll}G_1 & = & (\{l \in \mathord{\mathit{Loc}} \mid \exists i \in I_\tau. \phi(i)=l \mbox{ andeither } \,i \neq w.{\mathord{\mathtt{f}}} \mbox{ or } \phi(v) \neq \phi(w)\}\mathbin{\star} \\ && \ \{l \xrightarrow{{\mathord{\mathtt{f}}}'} l' \mid l.{\mathord{\mathtt{f}}}'=l' \in N' \mbox{ and either } v \not \in \phi^{-1} (l) \mbox{ or } {\mathord{\mathtt{f}}}' \neq {\mathord{\mathtt{f}}} \} \mathbin{\star} \ \phi), \end{array} \end{equation*}
    $\mathit{sh}_1 \subseteq \{ \{n, n'\} \in \mathit{sh}' \mid n, n' \in N_1\}$ and $\mathit{nl}_1 \subseteq \mathit{nl}' \cap N_1$ . Now the proof is straightforward by definition of $\mathbb{G}^{*}$ and since $\mathbb{G}' \preceq \mathbb{G}$ .
  • $\ell(v)\neq \bot$ and $\ell({\mathord{\mathtt{res}}}) \neq \bot$ . By definition of $\alpha$ and by previous results, we have to prove that for each $\phi\mathbin{\star}\mu \in \gamma(\mathbb{G})$ such that $\phi(v) \neq {\mathord{\mathtt{null}}}$ we have that

    \begin{equation*}\begin{array}{lll} \mathbb{G}_1 &=& \alpha(\phi'\mathbin{\star}\mu') \preceq \mathbb{G}^{**}, \end{array}\end{equation*}
    where $\mathbb{G}^{**}$ is defined as in definition of $\mathit{P'}_\tau^{v.{\mathord{\mathtt{f}}}}$ .

Let $\phi\mathbin{\star}\mu \in \gamma(\mathbb{G})$ such that $\phi(v) \neq {\mathord{\mathtt{null}}}$ and let $\mathbb{G}'=\alpha(\phi\mathbin{\star}\mu)$ . By (A6), $\mathbb{G}' \preceq \mathbb{G}$ . Then, by definition of $\alpha$ ,

\begin{equation*}\begin{array}{lll} G_1 & = & \{l \in \mathord{\mathit{Loc}} \mid \exists i \in I_\tau. \phi(i)=l \mbox{ and either } \,i \neq w.{\mathord{\mathtt{f}}} \mbox{ or } \phi(v) \neq \phi(w)\}\mathbin{\star} \\ && (\begin{array}[t]{l} \{l \xrightarrow{{\mathord{\mathtt{f}}}'} l' \mid l.{\mathord{\mathtt{f}}}'=l' \in N' \mbox{ and either } v \not \in \phi^{-1} (n) \mbox{ or } {\mathord{\mathtt{f}}}' \neq {\mathord{\mathtt{f}}} \} \,\cup \\ \{\phi(v) \xrightarrow{{\mathord{\mathtt{f}}}} \phi({\mathord{\mathtt{res}}}) \mid \phi({\mathord{\mathtt{res}}})\neq {\mathord{\mathtt{null}}}\}) \mathbin{\star} \phi[{\mathord{\mathtt{res}}} \mapsto \bot], \end{array} \\ \\ \mathit{sh}'_1 &\subseteq & \{\{l, l'\}\in \mathit{sh}' \mid l,l' \in N_1\} \cup \\ && \{\{l, l'\} \mid l,l' \in N_1, \, \{\phi(v), l\} \in \mathit{sh}' \text{ and } \{\phi({\mathord{\mathtt{res}}}), l'\} \in \mathit{sh}'\}, \\ \\ \mathit{nl}'_1 &\subseteq & (\mathit{nl}' \cap N_1) \cup \\ & &\{\phi'(v) \mid \phi'(v) \text{ is not linear in } \phi' \mathbin{\star} \mu' \} \cup \\ &&\{l \mid l \text{ and } \phi'(v) \text{ share in } \phi' \mathbin{\star} \mu', \phi'(v) \text{ is not linear in } \phi' \mathbin{\star} \mu' \\ &&\quad \text{ and } \phi(v) \text{ is linear in } \phi \mathbin{\star} \mu\} \end{array} \end{equation*}

and $\mathbb{G}_1=cl^{\uparrow}(G_1, \mathit{sh}'_1,\mathit{nl}'_1)$ . Now, the proof is straightforward, by definition of $\mathbb{G}^{**}$ and since $\mathbb{G}' \preceq \mathbb{G}$ . $\mathtt{if\ v=w\ then\ }\mathit{com}_1 \ \mathtt{else}\ \mathit{com}_2$

Analogously to the previous case, we have to prove that

\begin{align*}\mathit{A}_{\textrm{if}_\textrm{eq}}& =\lambda \mathbb{G} \in \mathsf{ALPS} .\ \begin{cases} \mathcal{SC}_{{\tau}}^{{I}}\unicode{x0301A}{{\mathit{com}_1}}\unicode{x0301B}(\mathbb{G}) \qquad \text{if $\ell(v)=\ell(w)$}\\ \mathcal{SC}_{{\tau}}^{{I}}\unicode{x0301A}{{\mathit{com}_1}}\unicode{x0301B}(\mathbb{G}_{|v=w}) \curlyvee \mathcal{SC}_{{\tau}}^{{I}}\unicode{x0301A}{{\mathit{com}_2}}\unicode{x0301B}(\mathbb{G}) \\ \qquad\qquad\qquad\qquad \text{ otherwise}\\ \end{cases}\\\end{align*}

is correct with respect to the corresponding concrete operation

\begin{align*} \mathit{C}_{\textrm{if}_\textrm{eq}}&= \lambda(\phi\mathbin{\star}\mu)\in\Sigma_\tau.\begin{cases} \mathcal{C}_{\tau}^{I}\unicode{x0301A}{{\mathit{com}_1}}\unicode{x0301B}(\phi\mathbin{\star}\mu) & \text{if $\phi(v)=\phi(w)$} \\ \mathcal{C}_{{\tau}}^{I}\unicode{x0301A}{{\mathit{com}_2}}\unicode{x0301B}(\phi\mathbin{\star}\mu) & \text{if $\phi(v)\not=\phi(w)$} \end{cases}\end{align*}

Let $\mathbb{G}\in \mathsf{ALPS}$ . We have the following possibilities:

  • $\ell(v)=\ell(w)$ . In this case for each $\phi\mathbin{\star} \mu \in \gamma (\mathbb{G})$ , we have that $\phi(v)=\phi(w)$ . Therefore,

    \begin{equation*}\begin{array}{llll} \alpha (\mathit{C}_{\textrm{if}_\textrm{eq}}(\gamma(\mathbb{G})) ) & \\ \text{(by previous observation and }\\ \text{by definition of $\alpha$)}& =&\alpha (\mathcal{C}_{\tau}^{I}\unicode{x0301A}{\mathit{com}_1}\unicode{x0301B}( \gamma(\mathbb{G})))\\ \text{(by definition)}&=& C(\mathit{com}_1)\\ \text{(by induction)}&\preceq & A(\mathit{com}_1)\\ \text{(by definition)}&=&\mathit{A}_{\textrm{if}_\textrm{eq}}(\mathbb{G}). \end{array} \end{equation*}
  • $\ell(v)\neq\ell(w)$ ). In this case

    \begin{equation*}\begin{array}{llll} \alpha (\mathit{C}_{\textrm{if}_\textrm{eq}}(\gamma(\mathbb{G})) ) \\ \text{ (by definition)} & = & \alpha (\begin{array}{l} \mathcal{C}_{\tau}^{I}\unicode{x0301A}{\mathit{com}_1}\unicode{x0301B}(\{\phi\mathbin{\star}\mu \in\gamma(\mathbb{G})\mid \phi(v)=\phi(w)\}) \\ \cup \\ \mathcal{C}_{\tau}^{I}\unicode{x0301A}{\mathit{com}_2}\unicode{x0301B}(\{\phi\mathbin{\star}\mu \in\gamma(\mathbb{G})\mid \phi(v)\not=\phi(w)\})\\ \end{array})\\ \\ \text{ (by definition of $\alpha$)}& =& \begin{array}[t]{l} \alpha ( \mathcal{C}_{\tau}^{I}\unicode{x0301A}{\mathit{com}_1}\unicode{x0301B}(\{\phi\mathbin{\star}\mu \in\gamma(\mathbb{G})\mid \phi(v)=\phi(w)\}) \curlyvee \\ \alpha (\mathcal{C}_{\tau}^{{I}}\unicode{x0301A}{\mathit{com}_2}\unicode{x0301B}(\{\phi\mathbin{\star}\mu \in\gamma(\mathbb{G})\mid \phi(v)\not=\phi(w)\})\\ \end{array}\\ \\ \begin{array}[t]{l} \text{(by Proposition 84}\\ \text{ and monotonicity)} \end{array}& \preceq & \begin{array}[t]{l} \alpha ( \mathcal{C}_{\tau}^{{I}}\unicode{x0301A}{\mathit{com}_1}\unicode{x0301B}(\{\phi\mathbin{\star}\mu \in\gamma(\mathbb{G}_{|v=w}))\}) \curlyvee \\ \alpha (\mathcal{C}_{\tau}^{I}\unicode{x0301A}{\mathit{com}_2}\unicode{x0301B}(\{\phi\mathbin{\star}\mu \in\gamma(\mathbb{G})\})\\ \end{array}\\ \\ \text{ (by induction)}& \preceq& \mathcal{SC}_{{\tau}}^{{I}}\unicode{x0301A}{{\mathit{com}_1}}\unicode{x0301B}(\mathbb{G}_{|v=w}) \curlyvee \ \mathcal{SC}_{{\tau}}^{{I}}\unicode{x0301A}{{\mathit{com}_2}}\unicode{x0301B}(\mathbb{G})\\ \text{ (by definition)}& =& \mathit{A}_{\textrm{if}_\textrm{eq}}(\mathbb{G}). \end{array} \end{equation*}

$\mathtt{if\ v=null\ then\ }\mathit{com}_1 \ \mathtt{else}\ \mathit{com}_2$

The proof is analogous to that one of the previous case and hence it is omitted. $\mathtt{\{\mathit{com}_1;\ldots;\mathit{com}_p\}}$

The proof of this case follows directly by induction hypothesis.

Theorem 88. The abstract denotational semantics is correct wrt the concrete one.

Proof. To prove the correctness of the denotational semantics is enough to prove the correctness of the abstract transformer. Since composition preserves correctness it is sufficient to prove that

  1. (1). $\lambda \mathbb{G} \in \mathsf{ALPS}_{\mathit{scope}(\kappa.{\mathord{\mathtt{m}}})}. \mathbb{G}_{\Vert dom(\mathit{output}(\kappa.{\mathord{\mathtt{m}}}))}$ is correct wrt $\lambda\sigma\in\Sigma_{\mathit{scope}(\kappa.{\mathord{\mathtt{m}}})}.\,\sigma_{\Vert dom(\mathit{output}(\kappa.{\mathord{\mathtt{m}}}))} = $ $\lambda\phi\mathbin{\star}\mu\in\Sigma_{\mathit{scope}(\kappa.{\mathord{\mathtt{m}}})}.\,\phi|_{dom(\mathit{output}(\kappa.{\mathord{\mathtt{m}}}))}\mathbin{\star}\mu$ ;

  2. (2). $\mathcal{SC}_{{\mathit{scope}(\kappa.{\mathord{\mathtt{m}}})}}^{{I}}\unicode{x0301A}{{\mathit{body}(\kappa.{\mathord{\mathtt{m}}})}}\unicode{x0301B}$ is correct wrt $ \mathcal{C}_{\mathit{scope}(\kappa.{\mathord{\mathtt{m}}})}^{I}\unicode{x0301A}{\mathit{body}(\kappa.{\mathord{\mathtt{m}}})}\unicode{x0301B}$ ;

  3. (3). $\lambda \mathbb{G} \in \mathsf{ALPS}_{\mathit{input}(\kappa.{\mathord{\mathtt{m}}})}. N \mathbin{\star} E \mathbin{\star} \ell[w'_1 \mapsto \ell(w_1),\ldots, w'_n \mapsto \ell(w_n)] \mathbin{\star} \mathit{sh} \mathbin{\star} \mathit{nl}$ is correct wrt $\lambda\phi\mathbin{\star}\mu\in\Sigma_{\mathit{input}(\kappa.{\mathord{\mathtt{m}}})}.\,\phi[{\mathord{\mathtt{out}}}\mapsto{\mathord{\mathtt{null}}}, w'_1 \mapsto \phi(w_1),\ldots, w'_n \mapsto \phi(w_n), w_{n+1}\mapsto{\mathord{\mathtt{null}}},\ldots,w_{n+m}\mapsto{\mathord{\mathtt{null}}}]\mathbin{\star}\mu$ .

The first and the second point are the content of Proposition 80 and Theorem 87, respectively. The third point is trivial since adding null variables does not add any node or edge to the graph.

References

Amato, G., Di Nardo Di Maio, S. and Scozzari, F. (2013). Numerical static analysis with Soot. In: Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program Analysis, SOAP’13, New York, NY, USA. ACM.Google Scholar
Amato, G., Meo, M. C. and Scozzari, F. (2015). Exploiting linearity in sharing analysis of object-oriented programs. In Crescenzi, P. and Loreti, M. (eds.) Proceedings of ICTCS 2015, the 16th Italian Conference on Theoretical Computer Science, Electronic Notes in Theoretical Computer Science, vol. 322, Elsevier, 318.Google Scholar
Amato, G., Rubino, M. and Scozzari, F. (2017). Inferring linear invariants with parallelotopes. Science of Computer Programming 148 161188.CrossRefGoogle Scholar
Amato, G. and Scozzari, F. (2009). Optimality in goal-dependent analysis of sharing. Theory and Practice of Logic Programming 9 (5) 617689.Google Scholar
Amato, G. and Scozzari, F. (2010). On the interaction between sharing and linearity. Theory and Practice of Logic Programming 10 (1) 49112.CrossRefGoogle Scholar
Amato, G. and Scozzari, F. (2011). Observational completeness on abstract interpretation. Fundamenta Informaticae 106 (2–4) 149173.CrossRefGoogle Scholar
Amato, G. and Scozzari, F. (2012). Random: R-based analyzer for numerical domains. In: BjØrner, N. and Voronkov, A. (eds.) Logic for Programming, Artificial Intelligence, and Reasoning 18th International Conference, LPAR-18, MÉrida, Venezuela, March 11–15, 2012. Proceedings, Lecture Notes in Computer Science, vol. 7180, Berlin, Heidelberg, Springer, 375382.Google Scholar
Amato, G. and Scozzari, F. (2014). Optimal multibinding unification for sharing and linearity analysis. Theory and Practice of Logic Programming 14 379400.CrossRefGoogle Scholar
Bagnara, R., Hill, P. M. and Zaffanella, E. (2002). Set-sharing is redundant for pair-sharing. Theoretical Computer Science 277 (1–2) 346.Google Scholar
Bagnara, R., Zaffanella, E. and Hill, P. M. (2005). Enhanced sharing analysis techniques: A comprehensive evaluation. Theory and Practice of Logic Programming 5 (1–2) 143.CrossRefGoogle Scholar
Codish, M., Dams, D. and Yardeni, E. (1991). Derivation and safety of an abstract unification algorithm for groundness and aliasing analysis. In Furukawa, K. (ed.) Logic Programming, Proceedings of the Eighth International Conference, Logic Programming, Cambridge, MA, USA, The MIT Press, 7993.Google Scholar
Codish, M., SØndergaard, H. and Stuckey, P. J. (1999). Sharing and groundness dependencies in logic programs. ACM Transactions on Programming Languages and Systems 21 (5) 948976.Google Scholar
Cousot, P. and Cousot, R. (1976). Static determination of dynamic properties of programs. In: Proceedings of the Second International Symposium on Programming, Paris, France. Dunod, 106130.Google Scholar
Cousot, P. and Cousot, R. (1977). Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL’77: Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, New York, NY, USA, ACM Press, 238252.Google Scholar
Cousot, P. and Cousot, R. (1992). Abstract interpretation and applications to logic programs. Journal of Logic Programming 13 (2 & 3) 103179.Google Scholar
Cousot, P. and Halbwachs, N. (1978). Automatic discovery of linear restraints among variables of a program. In: POPL’78: Proceedings of the 5th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, New York, NY, USA, ACM Press, 8497.CrossRefGoogle Scholar
Hans, W. and Winkler, S. (1992). Aliasing and groundness analysis of logic programs through abstract interpretation and its safety. Technical Report 92–27, Technical University of Aachen (RWTH Aachen). Available from http://sunsite.informatik.rwth-aachen.de/Publications/AIB. Last accessed March 14, 2013.Google Scholar
Jacobs, D. and Langen, A. (1992). Static analysis of logic programs for independent AND parallelism. The Journal of Logic Programming 13 (2–3) 291314.Google Scholar
Jones, N. D. and Muchnick, S. S. (1979). Flow analysis and optimization of LISP-like structures. In: POPL’79: Proceedings of the 6th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 244256.CrossRefGoogle Scholar
King, A. (1994). A synergistic analysis for sharing and groundness which traces linearity. In: Sannella, D. (ed.) Programming Languages and Systems — ESOP’94, 5th European Symposium on Programming Edinburg, UK, April 11–13, 1994, Proceedings, Lecture Notes in Computer Science, vol. 788, Berlin, Heidelberg, Springer, 363378.CrossRefGoogle Scholar
MÉndez-Lojo, M. and Hermenegildo, M. (2008). Precise set sharing analysis for java-style programs. In: Logozzo, F., Peled, D. and Zuck, L. (eds.) Verification, Model Checking, and Abstract Interpretation, Lecture Notes in Computer Science, vol. 4905, Berlin, Heidelberg, Springer, 172187.CrossRefGoogle Scholar
Montenegro, M., PeÑa, R. and Segura, C. (2015). Shape analysis in a functional language by using regular languages. Science of Computer Programming 111 5178.CrossRefGoogle Scholar
Muthukumar, K. and Hermenegildo, M. V. (1992). Compile-time derivation of variable dependency using abstract interpretation. The Journal of Logic Programming 13 (2–3) 315347.CrossRefGoogle Scholar
PeÑa-MarÍ, R., Segura, C. and Montenegro, M. (2006). A sharing analysis for SAFE. In: Nilsson, H. (ed.) Trends in Functional Programming, vol. 7, Bristol, UK. Intellect Books, 109127.Google Scholar
Pollet, I., Le Charlier, B. and Cortesi, A. (2001). Distinctness and sharing domains for static analysis of Java programs. In: Proceedings of the 25th European Conference on Object-Oriented Programming (ECOOP), Lecture Notes in Computer Science, vol. 2072, Budapest, Hungary, 7798.CrossRefGoogle Scholar
Secci, S. and Spoto, F. (2005a). Pair-sharing analysis of object-oriented programs. In: Hankin, C. (ed.) Proceedings of Static Analysis Symposium (SAS), Lecture Notes in Computer Science, vol. 3672, London, UK, Springer, 320335.Google Scholar
Secci, S. and Spoto, F. (2005b). Pair-Sharing Analysis of Object-Oriented Programs (long version). Personal communication. Also available at http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.79.2459.Google Scholar
Zanardini, D. (2018). Field-sensitive sharing. Journal of Logical and Algebraic Methods in Programming 95 103127.CrossRefGoogle Scholar
Figure 0

Figure 1. Two concrete states illustrating pair sharing.

Figure 1

Figure 2. Abstractions of the concrete states in Figure 1.

Figure 2

Figure 3. Three concrete states illustrating nullness and aliasing.

Figure 3

Figure 4. Abstraction of the concrete states in Figure 3. Both $v_1$ and $v_2$ are first level nodes, even if there is an edge pointing to $v_1$.

Figure 4

Figure 5. Concrete and abstract states illustrating aliasing.

Figure 5

Figure 6. A concrete state illustrating nonlinearity.

Figure 6

Figure 7. Abstraction of the concrete state in Figure 6.

Figure 7

Figure 8. The example program.

Figure 8

Figure 9. Two $\mathsf{ALPS}$ graphs for the example program.

Figure 9

Figure 10. A concrete state with variables $v_7,v_8$.

Figure 10

Figure 11. Abstraction of the concrete state in Figure 10.

Figure 11

Figure 12. A pre-aliasing graph for the type environment in Example 36.

Figure 12

Figure 13. Comparison of aliasing graphs. We have explicitly annotated each node with its identity.

Figure 13

Figure 14. Least upper bound of aliasing graphs.

Figure 14

Figure 15. Greatest lower bound of aliasing graphs.

Figure 15

Figure 16. Two pre-$\mathsf{ALPS}$ graphs with a loop and a concrete state which is in the concretization of the Pre-$\mathsf{ALPS}$ graphs $\mathbb{G}$ in Figure 16B.

Figure 16

Figure 17. Example of an $\mathsf{ALPS}$ graph.

Figure 17

Figure 18. Least upper bound of $\mathsf{ALPS}$ graphs.

Figure 18

Figure 19. Greatest lower bound of $\mathsf{ALPS}$ graphs.

Figure 19

Figure 20. The $\mathsf{ALPS}$ interpretation for expressions.

Figure 20

Figure 21. The $\mathsf{ALPS}$ interpretation for simple commands.

Figure 21

Figure 22. The $\mathsf{ALPS}$ interpretation for assignment to field.

Figure 22

Figure 23. The $\mathsf{ALPS}$ interpretation for method calls. The auxiliary function $match_{v.{\mathord{\mathtt{m}}}}$ is defined later in Figure 24.

Figure 23

Figure 24. The $match_{v.{\mathord{\mathtt{m}}}}$ auxiliary operation.

Figure 24

Figure 25. $\mathsf{ALPS}$ interpretations for the makeTree method.