On collecting semantics for program analysis

Reasoning on a complex system in the abstract interpretation theory starts with a formal description of the system behaviour speciﬁed by a collecting semantics. We take the common point of view that a collecting semantics is a very precise semantics from which other abstractions may be derived. We elaborate on both the concepts of precision and derivability, and introduce a notion of adequacy which tell us when a collecting semantics is a good choice for a given family of abstractions. We instantiate this approach to the case of ﬁrst-order functional programs by considering three common collecting semantics and some abstract properties of functions. We study their relative precision and give a constructive characterization of the classes of abstractions which are adequate for the collecting semantics.


Introduction
Abstract interpretation, introduced by Cousot andCousot (1977, 1979), is a framework for approximating the behavior of systems.It has been used both for developing static analysis, verification methods and for studying relations among semantics at different levels of abstraction.The main point of abstract interpretation is to replace the formal semantics of a system with an abstract semantics computed over a domain of abstract objects, which describe the properties of the system we are interested in.
Given a system e, we assume that its semantics e is an element of a set C of concrete properties, called the concrete domain.In most cases we only need to know some abstract properties of the semantics of a system.Examples of abstract properties are: the program terminates for all the input values or the program output is a value in the interval [0,42].Given a set A of abstract properties (abstract domain) we are interested in, each concrete property in C may enjoy several abstract properties in A. The relationship between concrete and abstract properties may be formalized in many different ways, but one of the most common approaches consists in fixing an approximation ordering ≤ A on the set of abstract properties A, such that a 1 ≤ A a 2 when a 1 is a stronger property than a 2 , and defining an abstraction function α A : C → A which maps every concrete property to the strongest (smallest) abstract property it enjoys.This is what is presented in Cousot and Cousot (1992) under the "existence of a best abstract approximation assumption".
An abstract interpretation problem consists in answering whether the semantics e of a system e enjoys a given property a.In theory, this can be verified by computing the strongest abstract property enjoyed by the system e, which is α A ( e ), and checking that it enjoys the property a we are interested in, that is α A ( e ) ≤ A a. In practice, since e is not generally computable, the standard approach to solve this problem is to design an approximate abstract semantics e A ∈ A such that α A ( e ) ≤ A e A and show that e A ≤ A a. In most cases, e A is not designed starting from e , but from a so-called collecting semantics.
According to Cousot and Cousot (1992), the term collecting semantics may be used to mean either "an instrumented version of the standard semantics in order to gather information about programs executions" or "a version of the standard semantics reduced to essentials in order to ignore irrelevant details about program execution".In this paper, we consider only the second meaning of the term, i.e., we view a collecting semantics as an abstraction of the standard semantics.
One might ask which are the properties that an abstract interpretation enjoys which entitle the abstraction to be called a collecting semantics.It is common to find in the literature the statement that the collecting semantics is a very precise abstraction from which all the other analyses may be derived.Here we want to elaborate and formalize this statement.In particular, we discuss what is the right concept of precision of abstractions to be used in this context, and what is behind the statement that an analysis may be derived from another.
In the context of first-order functional programs, we consider collecting semantics commonly used in static analysis of programs which first appeared in Cousot and Cousot (1994).We introduce three collecting semantics CS 1 , CS 2 and CS 3 and discuss the relative precision among them, showing that CS 2 is a suitable collecting semantics for all properties, while CS 1 and CS 3 are only suitable for some properties of functions.We define a category of abstract interpretations and their morphisms based on the notion of Galois connection, discuss the role of initial objects and constructively characterize a class of abstractions for which the collecting semantics are initial, i.e., are well suited as collecting semantics.Moreover, we show how common abstractions of functional properties, such as strictness, totality, convergence, divergence and monotonicity, relate to the collecting semantics.

Plan of the paper
In Section 2 we explore the concept of precision of abstraction, show some examples of abstraction for properties of functions and discuss how they can be compared starting from the above notion of precision.Section 3 introduces the two collecting semantics CS 1 and CS 2 .We compare the precision of the collecting semantics and formally state their relationships.In Section 4 we define the categorical framework of abstract interpretations and discuss the role of initial objects.Section 5 extends this characterization to an additional collecting semantics CS 3 and shows how it relates to the semantics in Section 3. In Section 6 we discuss what happens when using different formalizations of abstract interpretation and suggest some future work.All the proofs are in the appendix.
The article is an extended and revised version of Amato et al. (2018).The most prominent change is a complete overhaul of the motivations of this work and the reasons which led to our choice for the precision ordering.However, there are many other changes: we have included more examples of abstractions (totality, convergence, divergence, involution, idempotence, monotonicity, boundness), studied a new collecting semantics (CS 3 ) and significantly expanded the intuitive explanations.Moreover, both the appendix with the proofs and the section on related work are new.

Precision, derivability and collecting semantics
In the following, we fix a set C of concrete properties.The standard semantics e of a system e is an element of C. The concrete domain C may be endowed with additional structure which allows to derive the semantics of a system through structural induction on the description of the system and least fixpoint computations.However, the way e is defined is going to play only a marginal role in our discussion.
Definition 1 (Abstract Interpretation).An abstract interpretation for a set C is a pair (A, α A ) where the set A is partially ordered by ≤ A and α A is a map C → A. If c ∈ C, a ∈ A and α A (c) ≤ A a we say that a is a correct approximation of c.With an abuse of notation, we will sometimes identify an abstract interpretation (A, α A ) with its abstract domain A.
Often C is endowed with a partial ordering (called computational ordering) which is used in fixpoint computations.Computational ordering and approximation ordering may be unrelated, hence we do not require the map α A in an abstract interpretation to be monotone.

Abstractions and Galois connections
It is worth noting that the abstraction map in our definition of abstraction is not required to be part of a Galois connection.Many abstractions are more naturally formalized in term of abstraction functions only.As a very elementary example, consider the classical "rule of sign" for checking the correctness of the sign of the product xy of two integer numbers, which exploits the fact that the sign of the multiplication xy can be recovered from the sign of x and the sign of y.If we formalize this rule as an abstract interpretation, we may choose Z as the concrete domain, Sign = {pos, neg, zero} as the abstract domain, and α S : Z → Sign as: Note that for Sign we use the flat ordering: a is a correct abstraction of x iff a is exactly α S (x).
In this case α S is not part of a Galois connection.Actually, α S is not even monotone if we use the standard ordering for Z.We may turn the rule of sign into a Galois connection if, for example, we take C = P(Z) as the concrete domain, A = P(Sign) as the abstract domain and α : C → A defined as the pointwise extension of α S , i.e., α(X) = {α S (x) | x ∈ X}, where both A and C are ordered by subset inclusion.In this case γ(X) All the abstractions we show in this paper can be turned into Galois connections only if we change the concrete domain.This actually means selecting a collecting semantics among several possible choices, and it is the main topic of the paper.Only rarely the standard semantics of a programming language directly forms a Galois connection with their common abstractions.A notable example is the T P like semantics for goal-independent semantic of logic programming (Comini et al., 2001).

Examples of abstractions
We take as applicative setting the abstract interpretation of functional programs.For easiness of presentation, we consider a simple case where the concrete domain C is the set D ⊥ → D ⊥ of unary functions from a base domain D ⊥ to itself, and assume that D ⊥ has a distinguished value ⊥ which represents non-terminating computations.Depending on the concrete domain, ⊥ may also encode run-time errors.All the results presented are independent from its concrete meaning.Some of the results which follow depend on the fact that D ⊥ has at least an element different from ⊥.The case when D ⊥ = {⊥} is a singleton is trivial and will not be considered.
Example 2 (A simple program).Consider a simple setting where the D = N is the set of natural numbers.Then, the program l e t rec prog n = i f ( n = 2 ) then prog ( n ) e l s e n has the following semantics: An example of a simple and useful abstraction is strictness.We say that a function f : Strictness analysis is used to prove that a function f either diverges or needs its arguments.The next definition formalizes strictness analysis as an abstract interpretation.
Definition 4 (Constancy).The constancy abstract interpretation (Wadler and Hughes, 1987) Consider the program prog defined in Example 2. Since prog uses its argument and does not always diverge, we have α str ( prog ) = str and α const ( prog ) = .

Comparing abstract interpretations
In order to compare different abstract interpretations, we need to define a notion of relative precision 1 among them.Of course, one might say that there is already a standard notion of relative precision, which is the existence of a Galois connection among the abstract domains.We agree that Galois connections are quite convenient for comparing abstractions, but we do not think that this choice should go unquestioned, and we want to provide more elaborate arguments in favor of this approach.This is because in our setting abstract interpretations are defined through the use of abstraction functions only, and there should be a good reason for introducing Galois connections.
As a first, naïf approach, we may say that, given two abstract interpretations (A, α A ) and (B, α B ) for a concrete domain C, we have that (A, α A ) is more precise than (B, α B ) when all the properties computed by α B may be recovered from the properties computed by α A , that is when α B factors through α A , i.e., there is a map α : However, this definition of precision is too weak for many purposes.Most of the time, we are not able to compute the abstraction of the concrete semantics α A ( e ) but only an over-approximation of the real value through an abstract semantics e A ≥ A α A ( e ).In this case, knowing e A does not say anything about α B ( e ), since we have not required α to be monotone.
Example 12.We say that a function f : Note that, although α A (f ) = defconstr exactly when f is strict, the value defconstr does not represent the property of being strict but the property of being strict or defined constant.We may define α : A → Str such that α = {defcon → , defconstr → str , → }, and we have α • α A = α str .However, α is not monotone: if we have a program e and we know that e A = defconstr ≥ α A ( e ), we cannot conclude that str ≥ α str ( e ), i.e., that e is strict.
If we also require monotonicity of α in the definition of precision, things go better.In this case, if we know that e A ≥ A α A ( e ), then we also know α( e A ) ≥ B α B ( e ), hence an approximate result for the abstract interpretation A gives an approximate result for the abstract interpretation B.
Definition 13 (Relative α-precision).Given abstract interpretations (A, α A ) and (B, α B ) over the domain C, we say that A is more α-precise than B when there is a monotone map α : It turns out that the trivial abstraction (C, id ) with the flat ordering on C is the most α-precise abstraction.Actually, if (A, α A ) is an abstraction, in order to show that C is more α-precise than A it is enough to choose α = α A , which is monotone since the ordering of C is flat.

Relative precision and verification
Relative α-precision is still not satisfactory in all the contexts.If abstract interpretation were used for analysis only, it might be a good choice.However, abstract interpretation is also used for verification.In this case, we do not really want to compute α A ( e ).On the contrary, we fix a property a ∈ A and want to decide whether α A ( e ) ≤ A a.
Definition 14 (Abstract interpretation problem).Let C be a concrete domain and e be a system whose concrete semantics is e ∈ C. Given an abstract interpretation (A, α) for C and an abstract property a ∈ A, an abstract interpretation problem consists in deciding whether α( e ) ≤ A a .
According to this new perspective, if we have abstract interpretations A and B, we might say that A is more precise than B when each abstract interpretation problem over the domain B may be transformed into an equivalent abstract interpretation problem over the domain A. In this way, if we hypothetically have an oracle for verifying properties over A, we can use it to verify properties over B. We may formalize this point of view as follows.
Definition 15 (Relative γ-precision).Given two abstract interpretations (A, α A ) and (B, α B ) over the domain C, we say that A is more γ-precise than B when there is γ : We show with a couple of examples that the two variants of relative precision are different from one another.
Example 16.Consider the abstract interpretation A = D ⊥ ∪{ } with d < A for each d ∈ D ⊥ .The idea is that stands for the trivial property enjoyed by every function, while d ∈ D ⊥ is the property of being constantly equal to d.In other words: There is a monotone map α : A → Const given by and α const = α • α A .Therefore, A is more α-precise than const.However, there is no direct way to decide whether a map f is constant by having a verifier for the abstract interpretation problems in A. Actually to check whether α const (f ) ≤ A const, we would need to solve a possibly infinite number of problems α A (f ) ≤ d for each d ∈ D ⊥ .Therefore, A is not more γ-precise than Const.
Example 17.Consider the domain (A, α A ) given by and (B, α B ) which is defined in exactly the same way but without the element.Note that α A never returns .Then, A is more γ-precise than B: we just define γ : B → A as the injection of A in B. However, there is no monotone map α : A → B such that α B = α • α A since there is no way to map consistently.
Although in the general case the two concepts of precision are different, there are several ways in which they may collapse.This happens, for example, when α A is surjective.
Proposition 18.If α A is surjective, and A is more γ-precise than B, then A is more α-precise than B and there is a Galois connection α, γ Note that while the trivial abstraction (C, id ) is the most α-precise abstract interpretation, the same is not true when considering γ-precision.
Example 19.The trivial abstraction is not more γ-precise than Str.This would amount to the existence of a function γ : Str → C such that α str (f ) = str iff f = γ(str ).In other word, this would be possible only if there were an unique strict function, which is obviously not true.
In the general case, the fact that (A, α A ) is more α-precise and γ-precise than (B, α B ) does not imply that α, γ is a Galois connection, as shown by the following example.
We have that (A, α A ) is more α-precise than (B, α B ), since α is monotone and α is the identity on the image of α A .Moreover, (A, α A ) is more γ-precise than (B, α B ). Actually, ≤ B and ≤ A do coincide on B, hence, for all b ∈ B we have that However α and γ do not form a Galois connection, since α(other ) ≤ str but other ≤ γ(str ).

Derivability among semantics
In the intuitive definition of collecting semantics, one of the requirements is that the other abstractions may be derived from it.What does it mean that an abstraction (B, α B ) may be derived from (A, α A )? It seems unavoidable that each sensible definition of "may be derived from A" means that A is more αprecise than B. In the hypothetical case that we are able to compute everything without losing information, we want that going through the collecting semantics instead of the standard semantics does not loose information.
However, derivable also means that if we have an (approximate) constructive definition of an abstract semantics e A ≥ A α A ( e ), this may be used as a guide for a constructive definition of an abstract semantics e B ≥ B α B ( e ).
A common case is when e = F ω e (⊥ C ) for some map F e : C → C and the abstract semantics in A is built by simulating in the abstract domain the progression of the concrete iterates.It means that there is a map )) and there is an abstract join A : The cornerstone of the correctness proof is the following proposition.We show the proof here since we think it is important to follow the remaining part of this section.
Proposition 21.Let (A, α A ) and (B, α B ) be abstractions such that A is both more α-precise and γ-precise than B. If F A,e : A → A preserves correctness of abstractions, i.e., for any a By correctness of F A,e , it holds that and by composing with the monotone map α, we have Although this result is similar to known results on correctness of abstract operators, it is essential in this proof that we track the behavior of the concrete iterates.Therefore, we have three semantics involved: the concrete one and two abstract ones.This is because the two definitions of relative precision are essentially blind on how A and B are related on elements which are not an abstraction of concrete values.If we want to work more freely without having to continuously refer to the concrete semantics, we may require that α and γ form a Galois connection.This is actually not very far from what we already have, as shown in Proposition 18.
Definition 22 (Relative precision).Given (A, α A ) and (B, α B ) two abstract interpretations over the domain C, we say that A is more precise than B when there is a Galois connection α, γ : This is essentially the same definition of precision given in Cousot and Cousot (1977), with the additional requirement that α should respect the abstraction maps α A and α B which have been given beforehand.Note that we use the term "relative" precision since in some papers the term precision is used to mean α-completeness, which is a different concept (Giacobazzi et al., 2000).
Clearly, relative precision is stronger than both α-precision and γ-precision.When we have a Galois connection, correctness of the abstract semantics A w.r.t. the abstract semantics B may be rephrased without involving concrete semantics, as in the next well known result.

Proposition 23. Given F
In the following, we use the definition of relative precision based on Galois connections.Please note that if we only have an abstraction (A, α A ) and a Galois connection α, γ : A B, then we may define an abstraction over B as (B, α • α A ) such that A is more precise than B. However, we are taking a different point of view where abstractions are defined directly from the concrete semantics, so that condition α B = α • α A should be included explicitly.

Collecting semantics
The conclusion from the previous sections is that if we want to compare different abstract interpretations, the notion of relative precision based on Galois connection conjugates in a simple way different aspects relative to precision (αand γ-precision) with aspects relative to derivability between abstract semantics.The latter is particularly important when one of the two semantics we are considering is a collecting semantics, since its main purpose is guiding the design of an abstract semantics.
When we want to design an abstract semantics, we can either take the concrete semantics as the reference, and use a relatively poor mathematical framework, or use the collecting semantics as the reference, and derive the abstract semantics using the Galois connection framework.
Given a family of abstractions F, a question which arises is which is the "best" collecting semantics for the abstractions in F. Obviously, we require the collecting semantics to be more precise than all the abstractions in F. However, we might require something more.In the general case, if A is more precise than B, there are several Galois connections α, γ : If (S, α S ) is a collecting semantics for a family F, it would be better to have a unique Galois connection from S to each abstraction in F.
Definition 24 (Adequate collecting semantics).Given a domain C and a family F of abstractions, an abstraction (S, α S ) is a collecting semantics adequate for F when, for each abstraction (A, α A ) ∈ F, there is a unique Galois connection α, γ : In the rest of the paper, we analyze some common collecting semantics and abstractions for the case of first-order functional languages, we study their relative precision, and we characterize the class of abstractions for which the collecting semantics are adequate.

Collecting semantics
We define two abstract interpretations CS 1 and CS 2 which are commonly used as collecting semantics for the concrete domain D ⊥ → D ⊥ .
Definition 25 (Collecting Semantics CS 1 ).We define the abstract interpretation CS 1 on D ⊥ → D ⊥ as: and f (X) is the image of f through X.
Note that, differently from the definition in Cousot and Cousot (1994), CS 1 is restricted to maps P(D ⊥ ) ∪ − → P(D ⊥ ) which are complete join-morphisms, otherwise there would be multiple abstract objects which approximate exactly the same set of concrete functions.This will be important when proving the adequacy of the CS 1 semantics.A different solution could be to change CS 1 to D ⊥ → P(D ⊥ ).
Example 26.The restriction to join-morphisms is required since the approximation of any function f : is actually completely characterized from the behavior of φ on singletons.For instance, given d ∈ D, consider the following functions φ 0 and φ 1 : Both φ 0 and φ 1 approximates only a single function, namely the function which diverges for any input, but φ 0 , which is a complete join-morphisms, seems to be a cleaner choice.
Definition 27 (Collecting Semantics CS 2 ).We define the abstract interpretation CS 2 on D ⊥ → D ⊥ as: where P(D ⊥ → D ⊥ ) is ordered by standard subset inclusion and

Strictness and collecting semantics
Consider the relation between α CS1 and α str .First of all, note that it is possible to recover α str ( e ) from α CS1 ( e ), since it holds that α str = α 1str • α CS1 where α 1str : CS 1 → Str is defined as: for each φ : P(D ⊥ ) ∪ − → P(D ⊥ ).Therefore CS 1 is more α-precise than strictness.Moreover, consider the problem α str ( e ) ≤ str .It is immediate to show that this is equivalent to α CS1 ( e )({⊥}) ⊆ {⊥}.In turn, this is equivalent to α CS1 ( e ) ≤ φ str by defining This happens because the functions correctly approximated by φ str are exactly all the strict functions.The problem α str ( e ) ≤ is always true, and it is equivalent to α CS1 ( e ) ≤ CS1 where CS1 (X) = D ⊥ for any non empty X.Therefore, each strictness problem may be reduced to a problem on the collecting semantics CS 1 .If we define γ 1str : Str → CS 1 as: we have that CS 1 is more γ-precise than Str and α 1str , γ 1str is a Galois connection.
Note that the same holds for the collecting semantics CS 2 .Actually, CS 2 is more α-precise than Str by taking Moreover α str ( e ) ≤ str is equivalent to α CS2 ( e ) ⊆ F str where F str = {f | α str (f ) = str }.This make CS 2 more γ-precise than Str by defining γ : CS 2 → Str such that γ(str ) = F str and γ( Analogously to the strictness property, it is easy to show that also the convergence, divergence and totality properties may be reduced to a problem on the collecting semantics CS 1 by defining The analogous result for CS 2 is immediate.

Constancy and collecting semantics
Not all the abstract interpretation problems may be reduced to problems in a given collecting semantics.Consider the problem α const ( e ) ≤ const.It may be easily reduced to a problem in CS 2 , by α CS2 ( e ) ⊆ F const where F const = {f | α const (f ) = const}, however it cannot be reduced to a problem in CS 1 .We must be careful to understand what this means.It is still possible to recover α const (f ) from α CS1 (f ): actually, Therefore, CS 1 is more α-precise than Const.However, there is no element in CS 1 which corresponds to the set of all the constant functions.Actually, if f is an unknown constant function, we have that f (x) might be potentially equal to any value x ∈ D ⊥ .Therefore, the only abstract object φ ∈ P(D ⊥ ) ∪ − → P(D ⊥ ) which is a correct approximation for all the constant functions is the greatest element Unfortunately, this is a correct approximation for all the functions, not only the constant ones.More in general, CS 1 cannot express any constraint relating the results of a function for different inputs (it is a so-called non-relational domain).
Hence, there is no φ const such that α const (f ) ≤ const is equivalent to α CS1 (f ) ≤ φ const , i.e., CS 1 is not more γ-precise than Const.Therefore, the collecting semantics CS 1 is not well suited to analyze the constancy property.

Involution, idempotence, monotonicity and collecting semantics
Analogously to the constancy property, if we consider the involution property and the problem α inv ( e ) ≤ inv , we have that it may be reduced to a problem in CS 2 , by α CS2 ( e ) ⊆ F inv where F inv = {f | α inv (f ) = inv }.However, as for the previous case, it cannot be reduced to a problem in CS 1 , even if In fact, since there is no element in CS 1 which corresponds to the set of all the involutions, there is no The same holds for Ide, Mon and Bou.Therefore, the collecting semantics CS 1 is not well suited to analyze the involution, idempotence, monotonicity and boundness properties.

Relationships among collecting semantics
We now explore how the two collecting semantics relate to each other.We notice that both α CS1 and α CS2 factor through the other.Actually, α CS2 = α 12 • α CS1 where α 12 : CS 1 → CS 2 is given by . This contrasts with the standard consideration that CS 2 is more precise than CS 1 and not vice versa.However, the different precision between the two is apparent when we note that, for each φ ∈ CS 1 , we have However, the converse is not true: given F ∈ CS 2 , in the general case there is no φ F ∈ CS 1 such that Therefore CS 2 is more γ-precise than CS 1 but not vice versa.
Example 28 (CS 1 is not more γ-precise than CS 2 ).Let F = {λx.⊥,λx.a} for a given a ∈ D. Then α CS2 ( e ) ⊆ F iff e is a program which always diverges or always terminates with result a.If we choose φ F = α 21 (F ), which one might think as a sensible choice in (1), we have φ F (X) = {⊥, a} for any non empty X.
Therefore, if e is a program which always diverges or always terminates with result a, we have α CS1 ( e ) ≤ φ F .However, the same holds for any program which returns both outputs ⊥ and a for different inputs.Therefore, the left and right hand-sides in (1) are not equivalent.In general, for any φ F we may choose, the condition α CS1 ( e ) ≤ φ F is not able to select functions which always return the same value.
The following proposition summarizes the previous arguments.

Adequacy of collecting semantics
In this section we elaborate on the concepts of adequacy for a family of abstractions.We define a category whose objects are abstract interpretations and whose morphisms are transformations from more precise to less precise abstractions (see, e.g., Asperti and Longo (1991) for standard definitions in category theory).
Definition 30 (Category of abstract interpretations).We call AI(C) the category whose objects are abstract interpretations for C and whose morphisms are Galois connection α, γ : Collecting semantics are a starting point when designing new abstract interpretations.If an abstract interpretation (A, α A ) is designed starting from the collecting semantics (S, α S ), it means that (S, α S ) should be more precise than (A, α A ), hence there should be a map from (S, α S ) to (A, α A ) in our category AI(C).Moreover, it would be preferable to have an unique way of deriving (A, α A ) as a Galois connection from (S, α S ), according to the concept of adequacy introduced in the previous sections.In the categorical settings, this leads to the notion of initiality: if (S, α S ) is initial for a given full subcategory D of AI(C), it means that (S, α S ) is adequate for the family of abstractions in D.
Given a collecting semantics (S, α S ), we are interested in characterizing the maximal full subcategory D of AI(C) such that (S, α S ) is initial for D. Such subcategories immediately induce a taxonomy on program analysis which precisely characterizes the program properties suitable for a given collecting semantics.In the rest of the section, we show that for the two collecting semantics CS 1 and CS 2 , such a full subcategory can be constructively described.

The collecting semantics CS 2
We first show that CS 2 is initial for all the abstract interpretations which have enough joins, and that this is the largest class of abstract interpretations which enjoys this property.
Definition 31 (Having enough joins).We say that the abstract interpretation (A, α A ) has enough joins when A X exists for each X which is a subset of the image of α A .
Obviously, if A is a complete join-semilattice, than (A, α A ) has enough joins.
Note that α max (f ) = d ∈ D when d is the maximum value of f .We have that Max has enough joins if and only if D is a complete join-semilattice.Therefore, if D ⊥ = N ∪ {⊥} with the standard ordering on natural numbers, then D ⊥ has not enough joins.
Theorem 33.The full subcategory of all the abstract interpretations which have enough joins is the largest class of abstractions for which the collecting semantics CS 2 is initial.

The collecting semantics CS 1
We now show that the collecting semantics CS 1 is initial for a large class of abstract interpretations, which can be constructively characterized.
Definition 34 (Mix of functions).We say that a function g : Definition 35 (Mixable interpretations).Let (A, α A ) be an abstract interpretation such that A has enough joins.We call (A, α A ) mixable if, for any set of functions F ⊆ D ⊥ → D ⊥ , whenever g is a mix of functions in F , we have An interpretation is mixable when deciding whether α(f ) ≤ a may be done by looking at the values of f for a single element of the domain at a time.This observation is formalized by the following lemma.
In the previous lemma, the interesting direction is ⇐=, since for the other direction it is enough to take f = f .Example 37. We apply the above intuitive characterization to the previously defined abstractions.
• The strictness abstract interpretation in Definition 3 is mixable, since we only need to check the single value of f (⊥) in order to decide whether a function is strict.
• The constancy, involution, idempotence, monotonicity and boundness abstract interpretations in Definitions 4, 8, 9, 10 and 11 are not mixable, since we need to compare the values computed by f for different arguments.
• The totality, convergence and divergence abstract interpretations in Definitions 5, 6 and 7 are mixable, since we just need to check the value of f for (many) single arguments, without the need of comparing them.
We now show that all the mixable interpretations may be designed starting from the collecting semantics CS 1 .
Theorem 38.The full subcategory of all the mixable abstract interpretations is the largest class of abstractions for which the collecting semantics CS 1 is initial.

The downward closed semantics CS 3
Another commonly used collecting semantics for functional programs is the downward closed collecting semantics defined in Cousot and Cousot (1994).
Given a poset (X, ≤ X ) and Y ⊆ X, we denote by ↓ Y the downward closure of Y , i.e. the set Y is downward closed if ↓ Y = Y and we denote by P ↓ (X) the set of downward closed subsets of X.Note that (P ↓ (X)), ⊆) is a complete lattice with ∅ as the bottom element and union as the join.
In our setting the poset X is P(D ⊥ ) with subset ordering.Therefore, given Θ ⊆ P(D ⊥ ), we have Definition 39 (Collecting semantics CS 3 ).We introduce the abstract interpretation CS 3 = P(P(D ⊥ )) where P(P(D ⊥ )) ∪ − → P ↓ (P(D ⊥ )) is ordered by ⊆, the pointwise extension of ⊆, and for some a ∈ D. Then The abstraction α CS3 is not directly suitable as a collecting semantics, since it contains many objects which are abstraction of exactly the same set of functions in D ⊥ → D ⊥ .
Example 41.Let Φ = α CS3 (f ) the element of CS 3 from Example 40 and let Φ be the following element of CS 3 : where a and b are two distinct elements of D. Note that if f is a function in D ⊥ → D ⊥ and Φ is a correct abstraction of f , then f (x) = b for each x ∈ D ⊥ .This is because, according to Φ , we have f ({x}) is either {⊥} or {a}.Therefore, the element b in the first clause of Φ is useless: Φ is a correct approximation of f iff Φ is a correct approximation of f .
Note that Φ in Example 41 is in CS 3 but Φ is not.
Example 43.The constancy abstraction reduces to CS 3 .In fact, in order to check whether a function f is constant, it is enough to verify for each X ⊆ D ⊥ that f (X) is a singleton, i.e., it is an element of ↓{{d} | d ∈ D ⊥ }.More precisely, the abstract interpretation problem α const (f ) ≤ const may be reduced to α CS3 (f ) ⊆Φ const where Example 44.The boundness abstraction reduces to CS 3 .In fact, in order to check whether a function f is bounded, it is enough to verify for each X ⊆ D ⊥ that f (X) is bounded.More precisely, the abstract interpretation problem α bou (f ) ≤ const may be reduced to α CS3 (f ) ⊆Φ bou where The condition on cardinalities is needed to ensure that Φ bou is an element of CS 3 .Actually, for any function g, the cardinality of g(X) cannot be greater than the cardinality of X.
Let us compare the semantics CS 3 w.r.t.CS 1 and CS 2 .First of all, CS 2 is more α-precise than CS 3 .Actually, we may define a monotone map α 23 : CS 2 → CS 3 as Theorem 45.CS 2 is more precise than CS 3 .
On the other side, CS 3 is more α-precise than CS 1 .Let us define a monotone map α 31 : CS 3 → CS 1 as: Theorem 46.CS 3 is more precise than CS 1 .
Analogously to the previous abstraction, α CS2 = α 32 • α CS3 where α 32 : CS 3 → CS 2 is given by However, neither of them has a right adjoint.Actually, the next proposition shows that CS 1 is strictly less precise than CS 3 , which in turn is strictly less precise than CS 2 .

Adequacy for CS 3
We now try to characterize the set of abstractions which may be derived from the CS 3 semantics through a Galois connection.This characterization will turn out to be a generalization of the concept of mixable interpretations we have already introduced for CS 1 .
Definition 48 (Set-Mix of functions).We say that a function g : Definition 49 (Set-Mixable interpretations).Let (A, α A ) be an abstract interpretation such that A has enough joins.We call (A, α A ) set-mixable if, for any set of functions In other words, an interpretation A is set-mixable when deciding whether α A (f ) ≤ a may be done by looking at the values of f for a single subset X of the elements of the domain at a time.The function f enjoys a given property if, for any X, f (X) is an element of a downward closed set of accepted values.This observation is formalized by the following lemma.
Example 51.It is immediate to see that the constancy abstraction is setmixable, by exploiting the characterization in Example 43.With respect to the previous intuitive characterization, note that, in order to decide whether f is constant, it is enough to check that, for each set X, the image f (X) is a subset of a singleton.
Theorem 52.The full subcategory of all the set-mixable abstract interpretations is the largest class of abstractions for which the collecting semantics CS 3 is initial.
Using the characterization of set-mixable abstract interpretations, we may show that CS 3 is adequate for the boundness abstraction.
Example 54 (Permutation abstraction).An example of an abstraction that cannot be derived from CS 3 through Galois connections is the domain of permutations, Perm = ({perm ≤ }, α perm ) where Actually, in order to check whether f is a permutation, we could check that f (X) has the same cardinality of X for any X and that f (D ⊥ ) = D ⊥ .However, this is not possible in set-mixable interpretations, since when examining f (X) we may only check whether it is a subset of a given family of good results, not that it is exactly equal to one of these results.
More formally, consider the constant map f (x) = d 0 for some d 0 ∈ D ⊥ .Given X ⊆ D ⊥ not empty, we have f (X) = {d 0 }.Consider a permutation f X such that there exists x ∈ X with f X (x) = d 0 .Then f (X) = {d 0 } ⊆ f X (X) with α perm (f X ) ≤ perm.Hence, if α perm were set-mixable, it would be α perm (f ) = perm.
Analogously the domains of involution, idempotent and monotone functions cannot be derived from CS 3 .

Example 55 (Involution functions). Consider the constant map
Example 56 (Idempotent functions).Let d 0 , d 1 ∈ D ⊥ with d 0 = d 1 and consider the non-idempotent function Given X ⊆ D ⊥ not empty, we have Let us consider the idempotent functions Hence, if α ide were set-mixable, it would be α ide (f ) = ide.
Example 57 (Monotone functions).Consider the non-monotone function Let us consider the monotone functions Hence, if α mon were set-mixable, it would be α mon (f ) = mon.

Related work
Since the very beginning of the abstract interpretation theory, there have been work on categorical approaches to abstract interpretation, both to show that abstract interpretation can be rephrased in category theory and to exploit category theory results in the abstract interpretation framework (see, for instance, Abramsky (1990); Backhouse and Backhouse (2004); Panangaden P. (1984); Venet (1996)).In this paper, we use category theory in a much more limited way.

Other formalizations of abstract interpretation
The abstract interpretation framework presented in this paper is the same which appears in Cousot and Cousot (1992) under the "existence of a best abstract approximation assumption": it is based on an abstraction function and a partial ordering of abstract properties.However, not all the abstract interpretations may be formalized in this way: sometimes it is necessary to resort to a weaker framework where the relation between the concrete domain C and the abstract domain A is given by an approximation relation A ⊆ A×C.When a A c we say that a is a correct abstraction of c. Generally A is upward closed, i.e., if a A c and a ≤ A a , then a A c (what Cousot and Cousot (1992) call "abstract soundness of upper approximations assumption").
A classical example of this situation arises when using numerical abstract domains (Cousot and Cousot (1976); Amato et al. (2010Amato et al. ( , 2013)); Amato and Scozzari ( 2012)) for instance in polyhedral analysis of imperative programs (Cousot and Halbwachs, 1978).In this case, we may think that the concrete domain C is the set of execution traces for a program, while the abstract domain P is the set of maps from program points to finite sets of linear inequations on the program variables.We say that an abstract object π is a correct approximation of the trace t (i.e., π P t) if and only if, for each program point p, every time t passes through p the corresponding assignment of values to variables in t is a point in the polyhedron π(p).We cannot formalize this abstract interpretation with an abstraction function, since if t is infinite, the convex hull of all the assignments for a given program point p might not have a least polyhedral approximation.Another example of this phenomenon is the domain of parallelotopes (Amato et al., 2017).
The fact that the abstraction (P, P ) cannot be formalized with an abstraction function is reflected by the fact that the relation between (P, P ) and the standard collecting semantics is not a Galois connection.The collecting semantics in this case is (S, S ) where S is the set of maps from program points to the powerset of assignments of values to variables, and π S t when for each program point p, every time t passes through p, the corresponding assignment is an element of π(p).Although (S, S ) is generally considered the reference collecting semantics for (P, P ), the relation between the two is given by a monotonic map γ : P → S with the property that if π P t then γ(π) S t.However, for the same reason given above, γ has no left adjoint.
We can easily adapt our presentation to this more general definition of abstract interpretation, where the morphism in the category of abstract interpretations now are the concretization functions, that respect the approximation relations.
Note that, in some settings, a standard semantics is already a collecting semantics, in the sense that many common abstraction may be formulated directly as Galois connections of the standard semantics.This is often the case for (constraint) logic programs.The semantics of computed answers (Bossi et al., 1994) is already a collecting semantics: many properties such as sharing, groundness, freeness used in static analysis of logic programs may be formulated as Galois connections from the s-semantics.

Future work
As for future work, our aim is twofold.From one side, we would like to refine the theoretical framework to reach a clean formal definition of what a collecting semantics is.In this paper we have been focused on the problem of examining when a collecting semantics is adequate for a given abstraction, but we lack a precise a priori definition of what a collecting semantics is.To this question, the paper only gives partial answers: if we have a family of abstractions, we might define a collecting semantics as an initial object in the appropriate subcategory, but if the family is too small, the initial object might be something so abstract that it should not be called a collecting semantics.Actually, it seems reasonable to require that a collecting semantics should be more α-precise than the standard semantics: this means it essentially contains all the information which is present in the standard semantics, although in a form which is easier to deal with in further abstractions.
A different line of research is applying the framework to different settings, for example to the operational semantics of imperative languages.In this case, the standard semantics of a program might be its execution traces (assuming the language is deterministic) while a common collecting semantics is the map associating to each program point the set of all states when the execution reaches that point.Although this is a common collecting semantics, it is not well suited for analyzing the input-output behavior of programs, so different collecting semantics might be proposed for this application.Particularly relevant to this line of research is the work of Cousot and Cousot (2000) on temporal abstract interpretation and the work of Cousot (1997) on abstract interpretation of transition systems.

Conclusion
Any static analysis formalized in the abstract interpretation framework is defined starting from a collecting semantics, on which the meaning of the system is defined, and then providing a set of abstract objects which encode the properties we are interested in.The collecting semantics is then a fundamental choice in the design of any abstract interpretation.As pointed out in Cousot and Cousot (2014): If the collecting semantics is too abstract, it has a limited expressive power which also limits the scope of the static analysis/verification methods that can be formally derived by abstract interpretation of this collecting semantics.
[omissis] On the other hand, if the collecting semantics is too precise, then further abstractions are more complex to express.
While we can find in the literature much work on the concrete domain (the semantic framework) and the abstract properties (the abstract domain and its operations), a few work has been devoted to systematically study how to choose the collecting semantics.For instance, both Cousot and Cousot (1992) and Cousot and Cousot (1994) present many collecting semantics, without a general method for choosing the right one.
Mostly authors simply use one of the already defined collecting semantics or, sometime, they invent a new one for a specific abstraction.Some authors have studied how to compute the optimal collecting semantics for a given abstract interpretation (e.g., Giacobazzi (1996) limited to the analysis of logic programming).Such an approach forces inventing new collecting semantics (and thus describing new concrete semantics) every time we change the abstract property to be analyzed.
On the contrary, we study three most commonly used collecting semantics for functional programs, we precisely characterize the set of abstract interpretations which can be defined on them and derive a taxonomy on program analysis.More generally, the definition of the sets of mixable and set-mixable abstract interpretations provides a constructive method, applicable to all the abstract interpretations of functional programs, to decide which collecting semantics should be the starting point for the definition of the analysis.
Our formal definition of the category of abstract interpretations also allows us to formally state the relationships between the common collecting semantics and some standard abstract interpretation, and to spread a new light on the significance and choice of the collecting semantics.
As far as we know, this is the first work where the set of abstract interpretations reducible to a given collecting semantics is precisely characterized, leading to the notions of mixable and set-mixable abstract interpretation, which precisely capture these sets of functions.

Appendix -Proofs
Proof (Proposition 18).First of all, we can define a monotone map α : A → B such that α B = α • α A .Given a ∈ A, consider any c ∈ C such that α A (c) = a and take α(a) = α B (c).In order to prove that α is well-defined, we show that if α A (c 1 ) ) and again by Definition 15 we get α B (c 1 ) ≤ B α B (c 2 ).This proves that α is well-defined and monotone.Moreover, α B = α • α A by definition.
At this point, Definition 15 may be rewritten as for each a ∈ A and b ∈ B, which is the definition of Galois connection.
• The proof is by contradiction.Assume that there exists α 1const , γ 1const : Then, by definition of CS 1 , from which the thesis.
• First, we consider the involution property.The proof is by contradiction.
Assume that there exists α 1inv , γ 1inv : CS 1 Inv such that where for i = 0, 1, d i ∈ D ⊥ and d 0 = d 1 and let Then, by definition of CS 1 , Now, we have a contradiction, since φ ≤ φ 1 ∨ φ 2 , while from which the thesis.Now, we consider the idempotence property.The proof is by contradiction.Assume that there exists α 1ide , γ 1ide : CS Then, by definition of CS 1 , for i ∈ {0, 1}, from which the thesis.Now, let us consider the monotonicity property.The proof is by contradiction.Assume that there exists α 1mon , γ 1mon : CS 1 Mon such that Now, the proof is analogous to the previous case and hence it is omitted.
Finally, let us consider the boundness property.The proof is by contradiction.Assume that there exists α 1bou , γ 1bou : CS 1 Bou such that α bou = α 1bou •α CS1 .Let g be a non-bounded function and for each d ∈ D ⊥ let us consider the constant function from which the thesis.
Proof (Theorem 33).Assume (A, α A ) is an abstract interpretation which has enough joins.We first show that there exists a Galois connection α, γ from CS 2 to (A, α A ) and prove that α • α CS2 = α A .We define We now prove that α has a right adjoint.It is enough to show that α is a complete join-morphism.
We need to prove that given any α , γ : CS 2 (A, α A ) such that α • α CS2 = α A , then we have that α = α and γ = γ .Since γ and γ are right adjoints to α and α respectively, it is enough to prove that α = α .Given F ∈ P(D ⊥ → D ⊥ ), since α is a complete join-morphism, we have that Finally, assume that there exists a Galois connection α, γ from CS 2 to (A, α A ) with α • α CS2 = α A .We want to prove that (A, α A ) has enough joins.Let F ⊆ D ⊥ → D ⊥ , since a left adjoint preserves all joins in its domain, we have: (A, α A ) has enough joins, which concludes the proof.
Proof (Lemma 36).The direction =⇒ is obvious, it is enough to take f = f .For the other direction, for each x ∈ D ⊥ let us call f x a function such that f x (x) = f (x) and α A (f x ) ≤ a.Then, f (x) = f x (x) is obtained by mixing the maps f x 's, and since (A, α A ) is mixable, then α A (f ) ≤ a.
Proof (Theorem 38).Assume (A, α A ) is a mixable interpretation.We define a Galois connection α, γ from CS 1 to (A, α A ) and prove that α First of all, we show that α • α CS1 = α A .We have We now prove that α, γ is a Galois connection.It is obvious that α and γ are monotone.Note that Since φ is a complete join-morphism, the last property holds for all X ⊆ D ⊥ iff it holds for all singletons {x} with x ∈ D Note that quantifying over all x ∈ D ⊥ and y ∈ φ({x}) is the same than quantifying over all x ∈ D ⊥ and f : D ⊥ → D ⊥ correctly abstracted by φ.Hence we get: We need to prove that if α , γ : CS 1 (A, α A ) is such that α • α CS1 = α A , then α = α and γ = γ .Since γ and γ are right adjoints to α and α respectively, it is enough to prove α = α .Given φ ∈ P(D ⊥ ) ∪ − → P(D ⊥ ), since φ is a complete join-morphisms, we have: Since α has a right adjoint, it is a complete join-morphism, hence Finally, we show that, given any abstract interpretation (A, α A ), if there is a Galois connection α, γ : CS First of all, we prove that A has enough joins.Let F ⊆ D ⊥ → D ⊥ , since a left adjoint preserves all joins in its domain, we have: Then {α A (f ) | f ∈ F } exists, i.e., (A, α A ) has enough joins.Now, given a function g, assume g is a mix of the functions in F .We need to prove that α A (g) ≤ f ∈F α A (f ).Since ∀x ∈ D ⊥ ∃f ∈ F s.t.g(x) = f (x), it follows that for any x ∈ D ⊥ there exists f ∈ F such that α CS1 (g)({x}) = α CS1 (f )({x}), and thus α CS1 (g)({x}) ⊆ f ∈F α CS1 (f )({x}), from which α CS1 (g) ≤ f ∈F α CS1 (f ).Since α is a join-morphism, we have that α(α CS1 (g)) ≤ α( f ∈F α CS1 (f )) = f ∈F α(α CS1 (f )), i.e. α A (g) ≤ f ∈F α A (f ).
On the other hand, Therefore α 13 is not monotone and then the thesis.
• The proof of the second point is again by contradiction.Let d 0 and d 1 be two elements in D ⊥ and assume that there exists α 32 , γ 32 : CS 3 CS 2 such that α CS2 = α 32 • α CS3 .Let f be the identity on . Let X ⊆ D ⊥ and we have several cases: if d 0 / ∈ X and d 1 / ∈ X, then g(X) = f (X) = f (X); if d 0 ∈ X but d 1 / ∈ X, then g(X) = f (X); if d 1 ∈ X but d 0 / ∈ X, then g(X) = f (X); if d 0 , d 1 ∈ X, then g(X) ⊂ f (X) = f (X).
By monotonicity it should be {g} ⊆ {f, f }, which is a contradiction.
Proof (Lemma 50).The direction =⇒ is obvious, it is enough to take F = {f }.For the other direction, for each X ⊆ D ⊥ let us call f X a function such that f (X) ⊆ f X (X) and α A (f X ) ≤ a.Then, f (X) is obtained by mixing the maps f X 's, and since (A, α A ) is set-mixable, then α A (f ) ≤ a.
Proof (Theorem 52).Assume (A, α A ) is a set-mixable interpretation.We define a Galois connection α, γ from CS 3 to (A, α A ) and prove that α • α CS3 =  First of all, we show that α • α CS3 = α A .We have Note that α CS3 (f ) ⊆ α CS3 (f ) if and only if f = f .Therefore α(α CS3 (f )) = α A (f ).We now prove that α, γ is a Galois connection.It is obvious that α and γ are monotone.Note that Φ ⊆ γ(a) ⇐⇒ ∀Θ ⊆ P(D ⊥ ).Φ(Θ) Since Φ is a complete join-morphism, the last property holds for all Θ ⊆ P(D ⊥ ) iff it holds for all the singletons {X} with X ∈ P(D ⊥ ).Then Φ ⊆ γ(a) is equivalent to Note that quantifying over all X ∈ P(D ⊥ ) and Y ∈ Φ({X}) is the same as quantifying over all X ∈ P(D ⊥ ) and f : D ⊥ → D ⊥ correctly abstracted by Φ. Hence we get: We need to prove that if α , γ : CS 3 (A, α A ) is such that α • α CS1 = α A , then α = α and γ = γ .Since γ and γ are right adjoints to α and α respectively, it is enough to prove α = α .Given Φ ∈ P(P(D ⊥ )) The proof of maximality is analogous to that one of Theorem 38 and hence it is omitted.
Proof (Proposition 53).The proof is by contradiction.Assume that the boundness abstraction is not set-mixable.Then, by definition of Bou, there exist g : D ⊥ → D ⊥ and a set of functions F ⊆ D ⊥ → D ⊥ , such that for each X ⊆ D ⊥ there exists f ∈ F such that g(X) ⊆ f (X) and = α bou (g) ≤

Example 32 .
Let (D ⊥ , ) be a poset such that ⊥ d for each d ∈ D ⊥ .We say that a function f : D ⊥ → D ⊥ has a maximum value d ∈ D if there exists y ∈ D ⊥ such that for each x ∈ D ⊥ , f (x) f (y) = d.Consider the abstract interpretation Max= (D ⊥ , α max ) such that

f
∈F α bou (f ) = bou.Since α bou (g) = , we have that g is not bounded and therefore for each d ∈ D ⊥ there existsv d ∈ D ⊥ , g(v d ) ≤ d.Let S = {v d | d ∈ D ⊥ }.By hypothesis there exists f ∈ F such that g(S) ⊆ f (S).Therefore for each v d ∈ S there exists w d ∈ S such that g(v d ) = f (w d ).By construction for each d ∈ D ⊥ we have that f (w d ) ≤ d.Therefore f is not bounded, α bou (f ) = and this contradicts the assumption f ∈F α bou (f ) = bou.Bibliography