Proof (Sketch). The proof follows by Kleenian fixpoint transfer. We have that P(P(Σ^+∞)),

·

^,

·

^,

·

^{,{Σω,∅},{∅, Σ+}}is a complete lattice and thatφ^+∞(cf.

Eq.1) andΘ_•(cf. Eq.8) are monotonic function. Additionally, we have that the outcome abstraction α_• (cf. Eq.7) is Scott-continuous (cf. Lemma 1) and such that α_•(Σ^ω) = {Σ^ω,∅} and α_•◦φ^+∞ =Θ_•◦α_•. Then, by Kleenian fixpoint transfer, we have thatα•(Λ) =α•(lfpφ^+∞) = lfp

·

_Θ•. Thus, we can conclude

that Λ•= lfp

·

_Θ•.

Finally, we show that the outcome semantics Λ_• is sound and complete for proving that a program does not use (a subset of) its input variables.

Theorem 2. A program does not use a subset J of its input variables if and only if its outcome semanticsΛ• is a subset ofNJ:

P |=NJ⇔Λ•⊆ NJ

Proof (Sketch). The proof follows immediately from the definition of N_J (cf.

Eq.3 and Sect.4) and the definition ofΛ• (cf. Eq.8).

Example 4. Let us consider again the program P and its semantics [[P]]science

shown in Example1. The corresponding outcome semanticsα•([[P]]science) is:

α•([[P]]science) ={∅,{(t). . .(tf),(f ). . .(ff)},{(t). . .(tt),(f ). . .(ft)}}

Note that all sets of traces in α•([[P]]science) belong to N_{science}: the initial states of all traces in a non-empty partition contain all possible initial values (t or f) for the input variablescience. Thus, P satisfies N{science} and, indeed,

the input variablescienceis unused byP.

As discussed in Sect.4, we now can again use the standard framework of abstract interpretation to soundly over-approximate Λ• and prove that a pro- gram does not use (some of) its input data. In the next section, we propose an abstraction that remains sound and complete for input data usage. Further sound but not complete abstractions are presented in later sections.

all partitions T of S. Observe that a trace σ that consists of a single state s is abstracted as a pair s, s. The corresponding dependency concretization function γ: P(P(Σ×Σ_⊥)) → P(P(Σ^+∞)) over-approximates the original sets of traces by inserting arbitrary intermediate states:

γ(S)^def= T ∈ P

Σ^+∞

| {σ[0], σ[ω] ∈Σ×Σ_⊥ |σ∈T} ∈S

(11) Example 5. Let us consider again the program of Example 1 and its outcome semanticsα•([[P]]math) shown in Example3. Its dependency abstraction is:

α(α•([[P]]math)) ={∅,{f,ff},{t,tt,f ,ft}}

which explicitly ignores intermediate program states.

Usingα, we now define the dependency semantics Λ ∈ P(P(Σ^+∞)) as an abstraction of the outcome semanticsΛ_•.

Definition 2. The dependency semanticsΛ∈ P(P(Σ^+∞))is defined as:

Λdef

= α(Λ•) (12)

where Λ_• ∈ P(P(Σ^+∞)) is the outcome semantics (cf. Eq.8) and α is the dependency abstraction (cf. Eq.10).

Neither the Kleenian fixpoint transfer nor the Tarskian fixpoint transfer can be used to obtain a fixpoint definition for the dependency semantics, but we have to proceed by union of disjoint fixpoints [12]. To this end, we observe that the outcome semanticsΛ_• can be equivalently expressed as follows:

Λ•=Λ⁺_• ∪Λ^ω_• = lfp_∅

·

_Θ•⁺_∪lfp_{Σ

·

_{ω} Θ•}^ω

Θ⁺_•(S)^def= {Ωo1=v1,...,ok=vk|v1, . . . , vk ∈V} ∪

·

^{{τ ;T |T ∈S}}

Θ_•^ω(S)^def= {τ ;T |T ∈S}

(13)

whereΛ⁺_• andΛ^ω_• separately compute the set of all sets of finite traces that agree on their outcome, and the set of all infinite traces, respectively.

In the following, given a set of tracesT ∈ P(Σ^+∞) and its dependency abstrac- tionα(T), we abuse notation and writeT⁺(resp.T^ω) to also denoteα(T)^{+ def}= α(T)∩(Σ×Σ) (resp.α(T)^ωdef= α(T)∩(Σ× {⊥})). Similarly, we reuse the symbols for the computational order

·

, least upper bound

·

, and greatest lower bound

·

, instead of their abstractions. We can now use the Kleenian and Tarskian fixpoint transfer to separately derive fixpoint definitions ofα(Λ⁺_•) andα(Λ^ω_•) inP(P(Σ×Σ_⊥)),

·

^,

·

^,

·

^{,{Σ× {⊥},∅},{∅, Σ×Σ}.}

Lemma 2. The abstraction Λ^+def= α(Λ⁺_•)∈ P(P(Σ×Σ)) can be expressed as a least fixpoint in P(P(Σ×Σ⊥)),

·

^,

·

^,

·

^{,{Σ× {⊥},∅},{∅, Σ×Σ} as:}

Λ⁺= lfp_{∅}

·

_Θ⁺

Θ⁺(S)^def= {Ωo1=v1,...,ok=vk×Ωo1=v1,...,ok=vk |v1, . . . , vk ∈V} ∪

·

^{{τ◦R|R∈S}}

(14)

Proof (Sketch).By Kleenian fixpoint transfer (cf. Theorem 17 in [12]).

Lemma 3. The abstraction Λ^{ω def}= α(Λ^ω_•)∈ P(P(Σ×Σ)) can be expressed as a least fixpoint in P(P(Σ×Σ⊥)),

·

^,

·

^,

·

^{,{Σ× {⊥},∅},{∅, Σ×Σ} as:}

Λ^ω= lfp_{Σ×{⊥}}

·

_Θ^ω

Θ^ω(S)^def= {τ◦R|R∈S} (15) Proof (Sketch).By Tarskian fixpoint transfer (cf. Theorem 18 in [12]).

The fixpoint iteration forΛ⁺ starts from the set containing only the empty relation. At the first iteration, the empty relation is replaced by all relations between pairs of final states that agree on the values of the output variables.

At each next iteration, all relations are combined with the transition relation to obtain relations between initial and final states of increasingly longer traces.

At the limit, we obtain the set of all relations between the initial and the final states of a program that agree on the final value of the output variables. The fixpoint iteration for Λ^ω starts from the set containing (the set of) all pairs of states and the⊥outcome, and each iteration discards more and more pairs with initial states that do not belong to infinite traces of the program.

Now we can use Lemmas2 and 3 to express the dependency semanticsΛ in a constructive fixpoint form (as the union ofΛ⁺andΛ^ω).

Theorem 3. The dependency semanticsΛ∈ P(P(Σ×Σ_⊥))can be expressed as a least fixpoint inP(P(Σ×Σ_⊥)),

·

^,

·

^,

·

^{,{Σ× {⊥},∅},{∅, Σ×Σ}as:}

Λ=Λ⁺∪Λ^ω= lfp_{{Σ×{⊥},∅}}

·

_Θ

Θ(S)^def= {Ω_o1=v1,...,ok=vk×Ω_o1=v1,...,ok=vk|v1, . . . , v_k∈V} ∪

·

^{{τ◦R|R∈S}}

(16) Proof (Sketch).The proof follows immediately from Lemmas2and3.

Finally, we show that the dependency semanticsΛ is sound and complete for proving that a program does not use (a subset of) its input variables.

Theorem 4. A program does not use a subset J of its input variables if and only if the image via γ of its dependency semantics Λ is a subset ofN_J:

P |=NJ⇔γ(Λ)⊆ NJ

Proof (Sketch).The proof follows from the definition ofΛ(cf. Eq.12) andγ

(cf. Eq.11), and from Theorem 2.

Example 6. Let us consider again the program P and its outcome semantics α_•([[P]]science) from Example4. The corresponding dependency semantics is:

α(α•([[P]]science)) ={∅,{t,tf,f ,ff},{t,tt,f,ft}}

and, by definition ofγ, we have that its concretizationγ(α(α_•([[P]]science))) is an over-approximation ofα_•([[P]]science). In particular, since intermediate state computations are irrelevant for deciding the input data usage property, all sets of traces in γ(α(α_•([[P]]science))) are over-approximations of exactly one set in α_•([[P]]science) with the same set of initial states and outcome. Thus, in this case, we can observe that all sets of traces inγ(α(α•([[P]]science))) belong to N_{science} and correctly conclude thatP does not use the variablescience.

At this point we have a sound and complete program semantics that captures only the minimal information needed to decide which input variables are unused by a program. In the rest of the paper, we present various static analyses for input data usage by means of sound abstractions of this semantics, whichunder- approximate (resp. over-approximate) the subset of the input variables that are unused (resp. used) by a program.