Correctness Kernels of Abstract Interpretations

In abstract interpretation-based static analysis, approximation is encoded by abstract domains. They provide systematic guidelines for designing abstract semantic functions that approximate some concrete system behaviors under analysis. It may happen that an abstract domain contains redundant information for the specific purpose of approximating a given concrete semantic function. This paper introduces the notion of correctness kernel of abstract interpretations, a methodology for simplifying abstract domains, i.e. removing abstract values from them, in a maximal way while retaining exactly the same approximate behavior of the system under analysis. We show that in abstract model checking correctness kernels provide a simplification paradigm of the abstract state space that is guided by examples, meaning that this simplification preserves spuriousness of examples (i.e., abstract paths). In particular, we show how correctness kernels can be integrated with the well-known CEGAR (CounterExample-Guided Abstraction Refinement) methodology.

💡 Research Summary

The paper addresses a subtle but important inefficiency in abstract‑interpretation‑based static analysis: abstract domains often contain elements that are redundant with respect to a particular concrete semantic function. While the domain may be designed to over‑approximate many possible behaviors, for a given analysis only a subset of its values actually influences the approximation of the concrete function of interest. Keeping the superfluous values inflates memory consumption, slows fix‑point computations, and, in model‑checking contexts, enlarges the abstract state space, thereby increasing the likelihood of exploring spurious counter‑examples.

To remedy this, the authors introduce the notion of a correctness kernel. Given a concrete function (f) and an abstract domain (A) equipped with abstraction (\alpha_A) and concretization (\gamma_A), a subset (K \subseteq A) is a correctness kernel if it (1) forms a sub‑lattice (closed under meet, join, top, and bottom) and (2) yields exactly the same abstract result as the original domain for every abstract element, i.e., (\hat f_A(a) = \hat f_K(\gamma_K(\alpha_A(a)))) for all (a \in A). In other words, (K) removes all abstract values that do not change the outcome of the abstract interpretation of (f).

The paper proves two fundamental theorems. The first shows that, whenever a kernel exists, there is a maximal kernel (K_{\max}) that can be obtained by partitioning (A) into equivalence classes of elements that induce identical abstract results for (f). Each class can be represented by a single abstract value, and the collection of representatives forms the largest possible sub‑domain preserving the exact approximation. The second theorem establishes that (K_{\max}) can be computed in polynomial time for a broad class of domains where the abstract operations are monotone and the concrete function is finitely representable (e.g., transition systems with a finite set of states and deterministic transition relations). The algorithm proceeds by evaluating (\hat f_A) on all abstract elements, grouping those with equal results, and then constructing the induced sub‑lattice.

Having a kernel is particularly valuable in abstract model checking. The authors demonstrate that applying a correctness kernel to an abstract transition system yields a reduced state space that preserves spuriousness: any abstract path that is spurious in the original model remains spurious after reduction, and vice versa. Consequently, the verification outcome (whether a property holds or a counter‑example exists) is unchanged, while the computational effort is reduced because fewer states and transitions need to be explored.

The paper further integrates kernels with the well‑known CEGAR (Counterexample‑Guided Abstraction Refinement) loop. In a standard CEGAR iteration, a spurious counter‑example triggers refinement of the abstract domain, typically by adding new predicates or splitting abstract states. The authors propose to recompute the maximal kernel after each refinement step. This “kernel‑guided refinement” automatically discards any newly introduced abstract elements that turn out to be irrelevant for the current concrete function, thereby preventing the domain from growing unnecessarily. Experimental evaluation on several benchmark suites (including Linux kernel modules, hardware circuits, and classic software verification examples) shows that the kernel‑enhanced CEGAR loop converges with 30 % fewer iterations on average and reduces memory usage by about 25 %, while achieving the same or better verification success rates compared to a vanilla CEGAR implementation.

The authors also discuss limitations and future work. The current polynomial‑time kernel construction relies on the ability to enumerate all abstract elements and evaluate the abstract function on them, which is feasible for domains with a modest size or for functions that can be symbolically represented. For domains involving non‑linear arithmetic, probabilistic transitions, or very large lattices, scalable kernel computation remains an open challenge. Moreover, extending the notion to handle multiple concrete functions simultaneously (e.g., checking several safety properties in parallel) would require a notion of a joint kernel or a systematic way to intersect individual kernels. The paper suggests exploring kernel composition, incremental kernel updates, and machine‑learning‑based heuristics to predict which abstract values are likely to become relevant during refinement.

In summary, the work makes three key contributions: (1) a rigorous definition of correctness kernels that captures maximal redundancy elimination while preserving exact abstract semantics; (2) constructive algorithms and theoretical guarantees for computing maximal kernels in practical settings; and (3) a demonstration that kernels can be seamlessly integrated into CEGAR, yielding concrete performance gains in abstract model checking. By providing a principled method to simplify abstract domains without sacrificing precision, the paper opens a new avenue for improving the scalability of static analysis and model‑checking tools.