MOCIÓN PRESENTADA POR EL GRUPO COMPROMÍS PER PATERNA,

1. G∈ L(C) 2. L(C) =∅

Proof.

1. Given G, we can decide by a finite procedure if it fulfills the requirements of Definition7.1, in which case it is inL(C

i), oth- erwise not.

First, we enumerate the elements X+ in C+and check, for each,

if there is a morphism X+→G (known to be decidable [20]). If

there was no such X+, we can conclude that G /∈ L(C).

Then, if there is such an X+, we enumerate the (finitely many)

proper subgraphs of G and check if any of them is isomorphic to any of the elements of C−, allowing for a final decision.

2. By Propositions7.1and7.3,L(C)is empty iff the positive pole of

min(C)is empty, which can be easily verified by the construction in Definition7.5.

Although, in the frame of the present thesis, we leave open the general question of language inclusion decidability, i.e., if we can always tell ifL(C1) ⊆ L(C2), we observe that in some specific cases, we directly have an answer (with Xi+∈C+i and X−i ∈Ci−, i ∈ {1, 2}):

• If ∃X2− ∈ C−2 such that ∃X1+ : X2− ,→ X1+but6 ∃X−1 : X2− ,→ X1−,

then L(C1) 6⊆ L(C2), as we can find a G∈ L(C1)which will be excluded inL(C2)through X−2.

• If the negative poles are empty, thenL(C1) ⊆ L(C2)if and only if ∀X1+∃X+2 : X2+→ X1+: In this case, if a graph G is admitted in L(C1)by X1+, it will be also admitted in L(C2), but if we have an X1+ not having a corresponding X2+, then X+1 ∈ L(C1) but X1+∈ L(/ C2)as there is no element in C−2 admitting it.

Unfortunately, due to the peculiar interplay between positive and negative poles, closure properties under standard set operations (e.g., union) are even harder to reason about and proving corresponding statements is left for future work. We might, however, obtain an in- tuitive impression of the problem at hand by the following intuition on extending compasses: The positive pole of a compass splits the set of all graphs into two parts, those admitted by it and those not. Independently, the negative pole introduces another splitting into graphs excluded and graphs not excluded by it. Now, the language of the compass turns out to be the intersection of that set admitted by the positive pole and that set not excluded by the negative pole. However, adding even a single graph to, e.g., the positive pole interferes with this scheme: while the set of admitted graphs grows monotonously, the overall growth of the compass language is derived from the inter- section of the non-excluded graph set and the freshly admitted graphs,

where the characterization of this interplay might largely depend on the morphism relations between the involved graphs.

Executing a formal analysis of decidability of CGL closure of com- pass union as well as similar properties of other set operators (inter- section, complement) is left for future work.

7.3 a b s t r a c t i n t e r p r e tat i o n o f r e p r o b y c o m pa s s e s

In this section, we formally define our abstract interpretation framework for RePro based on compasses. Thereby, we follow the outlines of the work by Dams et al. [27] on abstract interpretation for reactive

systems, based, in turn, on the original unifying program analysis framework proposed by Patrick and Radhia Cousot [26].

The main idea behind abstract interpretation is that each element of the abstract domain describes a (potentially infinite) number of concrete domain elements, ideally in a finitely representable way. In turn, there are abstraction and concretization functions (usually called

α and γ, respectively), the former mapping concrete elements to

the abstract one describing them, while the latter lists the concrete elements for a given abstract element.

In addition, both the concrete and the abstract domain might be embedded in states of a respective transition system [27]. This setting

calls forth an abstract reasoning approach as required by challenge C3a, based on traditional model checking [5], i.e., the verification of

temporal properties of transition systems with state predicates. If the abstract interpretation framework is used adequately, then properties holding for an abstract path are preserved for each concrete path conforming to it.

Note, however, that from a pragmatical perspective, we have a dif- ferent take on the utilization of abstract interpretation. Usually, given a concrete domain, one derives an adequately suited, artificial abstract domain which then fits for verification purposes by construction. In contrast, we set off by providing an abstract transition system, i.e., a transition system whose states are composed of control processes and compasses. Afterwards, along the lines of [27], we connect the con-

crete and the abstract compass states by a Galois connection, enabling to prove our main theorem: that our abstract states indeed subsume each potential concrete RePro executions. In turn, we obtain the desired abstract verification framework through µ-calculus formulas as in [27].

A Galois connection makes precise and formal the intuition behind that “connection” we mentioned above, between concrete and abstract (sets of) elements, in turn embedded in states of their respective tran- sition systems. Consequently, as abstract elements describe a set of concrete objects, we are working with such sets on the concrete side. Intuitively, a Galois connection consists of a pair of (total and mono- tonic) functions, mapping sets of concrete elements to abstract ones

and vice versa, such that any concrete set is preserved after abstraction and re-concretization, and also, any abstract element remains at least as accurate after concretization and re-abstraction (according to an accuracy ordering on the abstract domain). Formally, given are two sets of objects: the set of concrete objects is denotedB, while the set of abstract objects is denoted A. LetK ⊆2B andAbe the concrete domain and the abstract domain, respectively. Both domains are equipped with a partial order.

Definition 7.10 (Galois Connection). Functions α : K → A and γ :

A → Kare a Galois connection from poset(K,⊆) to poset(A,)if

1. both α and γ are total and monotonic, 2. for all K∈ K, K⊆γ◦α(K)and 3. for all A∈ A, α◦γ(A)  A.

A Galois connection is a Galois insertion if in addition,

4. A A0 ⇔γ(A) ⊆γ(A0).

As our main motivation is to avoid that each execution starts with a fixed input graph, we are aiming at defining an abstract domain which characterizes states of a controlled graph-rewriting process abstractly, but based on their respective control action history. Consequently, there is an abstract transition system whose states and transitions cor- respond to multiple states and transitions in RePro, respectively. In this context, correctness means that each abstract transition captures each concrete transition whose source state corresponds to the source of the abstract transition. For RePro, this means that for each abstract transition, each rule application from graphs described by its source leads to an output graph which is described by its target. Correctness is necessary for any domain pairs for a purposeful use of abstract interpretation.

Following the outline of the work of Dams et al. [27], on both sides

of our connection, a model represents all ingredients together: the set of objects (which are sets again for the concrete side) with their respective partial orders as well as their underlying transition systems (implicit in the formal Galois connection definition). In particular, as a concrete model, we considerLC with subset inclusion as partial

ordering and RePro as transition system. As an abstract model, we considerC withL and the compass transition system. To justify this

choice, we first have to check thatLis indeed a partial order.

Proposition 7.6. L⊆ [C] × [C](Definition7.5) is a partial order.

Proof. Reflexivity and transitivity is obvious by the underlying subset inclusion. For antisymmetry, observe that L([C]) ⊆ L([C0]) and

L([C0]) ⊆ L([C]) imply L([C]) = L([C0]); by Proposition 7.3, this

We have now prepared the ground for defining the abstraction and concretization functions from CGL to compasses and vice versa, and verifying that our definitions indeed yield a Galois connection. In particular, although this is not strictly necessary for the further developments, due to the close relation of our domains, we get a Galois insertion.

Definition 7.11(Compass Abstraction Function). The compass abstrac- tion function α :LC → [C]is a function mapping compass-definable graph

languages to compass equivalence classes s.t. (i) α is total and (ii) for any G∈ LC,L(α(G)) =G.

Note that such an α is provided overLC due to Definition7.9.

Definition 7.12(Compass Concretization Function). The compass con-