Hybrid Semantics for Higher-order Store Bernhard Reus Continuity, - PowerPoint PPT Presentation

Hybrid Semantics for Higher-order Store Bernhard Reus Continuity, Computability, Constructivity – From Logic to Algorithms (Nancy 2017) 1

Motivation (short) Soundness for a logic for programs that can store commands, use dynamic memory allocation (heaps) with “local reasoning rules” (w.r.t. heap). 2

Recursion through Store “Landin’ s knot” eval [f] : run code in f [c] : dereference c let n = [ c ] in if n =0 then skip else ( eval [ f ] ; [ c ] := n -1; eval [ it ] ) assume this code is stored recursive call in cell it “through the Not so easy to show soundness store” of typing or verification rules due to circularity. 3

Higher-order Store recursive domain equations J K 2 as “infinite type” Heap = Rec ( Val ) records labelled by natural numbers ( Val = Integers ? � Com ? Com = Heap ( T err ( Heap ) strict error monad continuous function space 4

Specifications 5

Hoare Calculus (Assignment) { P [ e/x ] } x := e { P } { P } S 1 { I } { I } S 2 { Q } (Composition) { P } S 1 ; S 2 { Q } { B ∧ P } T { Q } {¬ B ∧ P } E { Q } (if-then-else) { P } if B then T else E { Q } { B ∧ I } S { I } (while) { I } while B do S od { I ∧ ¬ B } P ⇒ P � { P � } S { Q � } Q � ⇒ Q (Weakening) { P } S { Q } 6

Separation Logic [13] P. W. O’Hearn, H. Yang, and J. C. Reynolds. Local reasoning about programs that alter data structures. In Proc. of CSL’01 , pages 1–19, Paris, France, 2001. 5. Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. extra assertions LICS. (2002) 55–74 | | emp heaplet is empty | heaplet has exactly e 1 | e 1 ↵⌃ e 2 one cell e 1 e 2 containing e 2 ⌘ | heaplet can be divided P P into separate heaplets | P 1 � P 2 (no aliasing) such that one part fulfils P 1 and the other P 2 7

Separation Logic allows for local reasoning on heaps via Frame Axiom that says that if a command does not fault with given heap “P”, then neither will it fail, given some extra heap “R”: ` { P } e { Q } ) { P ⇤ R } e { Q ⇤ R } means program semantics can’ t depend on non-allocated addresses 8

Nested triples [ Nested Hoare Triples and Frame Rules for Higher-order Stores, Schwinghammer, Birkedal, Reus, Yang, LMCS 7(3)] x ⌃⇧ ⌥ a. { a ⌃⇧ } · ( a ) { emp } Cell x contains a unary procedure with formal parameter a that deallocates a . Note: no need to specify that the rest of the heap remains unchanged. This will be done by the Frame Axiom. 9

Spec for Iterator saying f does not have any effects on heap { c 7! ⇤ f 7! { emp } { emp } ⇤ it 7! } [ it ] := ‘ C it ,f,c ’ ; eval [ it ] { c 7! 0 ⇤ f 7! { emp } { emp } ⇤ R it } . recursive heap predicate definitions must be contractive ⌘ µX. it 7! { c 7! ⇤ f 7! { emp } { emp } ⇤ X } R it ⌘ } { { c 7! 0 ⇤ f 7! { emp } { emp } ⇤ X } [it] “maintains itself” 10

Challenges recursively defined specifications need exist (semantically) need to express local reasoning w.r.t heaps, i.e. various frame rules must be validated (invariants preserved): 11

Invariants in Sep.Logic { } { } { } { } ∗ ∗ on P ∗ R indicates that P and R govern disjoint regions of the heap. P ⇥ R adds invariant to all nested triples in P ( x ⌃⇧ ⌥ a. { a ⌃⇧ } · ( a ) { emp } ) ⇥ v ⌃⇧ ⌅ x ⌃⇧ { a ⌃⇧ � v ⌃⇧ } · ( a ) { v ⌃⇧ } Ξ ; Γ ⊢ P Ξ ; Γ ⊢ P ⊗ R def P ◦ R = ( P ⊗ R ) ∗ R { P } e { Q } ⊗ R ⇔ { P ◦ R } e { Q ◦ R } ( P ⊗ R ′ ) ⊗ R ⇔ P ⊗ ( R ′ ◦ R ) ( κ x.P ) ⊗ R ⇔ κ x. ( P ⊗ R ) ( κ ∈ { ∀ , ∃ } , x / ∈ fv ( R )) ( P ⊕ Q ) ⊗ R ⇔ ( P ⊗ R ) ⊕ ( Q ⊗ R ) ( ⊕ ∈ { ⇒ , ∧ , ∨ , ∗ } ) P ⊗ R ⇔ P ( P is one of true , false , emp , e = e ′ , e �→ e ′ ) 12

Motivation (longer) This gives rise to a Kripke semantics: world = store invariants assertion = world-indexed predicate Kripke monotonicity = invariance under store (world) extensions leads to recursively defined worlds involving predicates! 13

Motivation (longer) recursive domain equation W = W ! Pred ( Heap ) Semantic type of heap assertions then: W ! Pred ( Heap ) world W = invariants to be maintained 14

Problem H ow to define (or approximate) those recursive worlds involving predicates, in particular for higher-order store? Four ways (at least): use Andy Pitts’ “recursive properties of recursive domains technique” (but no recursive unfolding of worlds) construct them using complete ultrametric spaces This is use operational semantics and “approximative what solutions” (step-indexing) the talk is or: mix ultrametric domains and step-indexing approaches about 15

Ultrametric Spaces 16

Definition An ultrametric space ( X , d ) satisfies the strong ∆ -inequality d ( x , z ) ≤ max { d ( x , y ) , d ( y , z ) } A function f : X 1 → X 2 is non-expansive if ∀ x , y ∈ X 1 : d 2 ( f ( x ) , f ( y )) ≤ d 1 ( x , y ) CBUlt : category with complete, 1-bounded, non-empty ultrametric spaces and non-expansive functions 17

Constructions Function spaces ( X 1 , d 1 ) → ( X 2 , d 2 ) . Non-expansive functions X 1 → X 2 with d ( f , g ) = sup { d 2 ( f ( x ) , g ( x )) | x ∈ X 1 } Scaling δ · ( X , d 0 ) . Set X with distance function d ( x , x 0 ) = δ · d 0 ( x , x 0 ) used to enforce contractiveness 18

Predicate Domain predicates over Heap from earlier – � = π 0 ( h ) ↵ . . . ↵ π k ( h ) ↵ π k +1 ( h ) ↵ . . . ↵ h for all h ⌥ Heap , i.e., the π k ’s form an increasing chain of approximations of the identity on Heap ; – π j ⇤ π k = π min { j,k } for all j, k ; in particular, every π k is idempotent; – � k π k ( h ) = h , i.e., every heap is the limit of its approximations. solve Heap equation in SFP domains Which Subsets of Heaps shall we use? k are uniform : for any k ⌥ N , if h ⌥ p then π k ( h ) ⌥ p . conjunction bination operation, we define separating 19

Uniform Predicates UAdm ( D ) = all uniform admissible subsets of (recursive) domain D closed under sups of ascending chains write UAdm for the set of all uniform admiss , p [ n ] denotes the image of p under � n . Note uniform admissible subsets will form the bas ( 2 � max { i 2 ω | p [ i ] = q [ i ] } if p 6 = q d ( p, q ) = 0 otherwise If D is a (recursive) domain with ⇡ i finite projections as on previous slide then: Lemma ( UAdm ( D ) , d ) is a 1-bounded complete ultrametric space. 20

Recursive Definitions ... exist for locally contractive functors on complete ultrametric spaces [America, Rutten, based on Banach, 1989] one can always make the functor locally contractive by scaling with a shrinking factor < 1. The functor ˆ F ( X , Y ) = 1 2 · F ( X , Y ) is locally contractive : d (ˆ F ( f , g ) , ˆ 1 F ( f 0 , g 0 )) ≤ 2 · max { d ( f , f 0 ) , d ( g , g 0 ) } 21

Recursive Worlds � ⇤ Theorem 3. There exists an ultrametric space W and an isomorphism ι from 1 2 · ( W UAdm ) to W in CBUlt. Proof. By an application of America & Rutten’s existence theorem for fixed points of locally contractive functors on complete ultrametric spaces [1], applied · ◆  to ( ) = ( UAdm ). See [3] for details of a similar application. 2 · ( W UAdm ) and ι � 1 : W � We write Pred for 1 = Pred for the inverse to ι . n This solves our initial domain equation, however, with an extra “shrinking factor”. 22

top level Semantic of triples n w | = { p } c { q } , i : , if for all r ∈ UAdm and all h ∈ Heap : h ∈ p ( w ) ∗ ι − 1 ( w )( emp ) ∗ r ⇒ c ( h ) ∈ Ad( q ( w ) ∗ ι − 1 ( w )( emp ) ∗ r ) , h 2 p ( w ) ⇤ ι − ( w )( emp ) ⇤ r ) c ( h ) 2 Ad( q ( w ) ⇤ ι − ( w )( emp ) ⇤ r ) , where Ad( r ) denotes the least downward closed and admissible set of heaps containing r . result of c(h) must not be error downward closure due to invariant w is maintained by c ... uniformity (partial correctness) ... but also by code in assertions admissibility so that we can p and q use approximations (next slide) frame rule baked in via r 23

nested i.e. as assertions Semantic of triples | { } { } 2 � ⇥ A triple holds approximately up to level k , w | = k { p } d { q } , if w | = { p } π k ; d ; π k { q } . � ⇥ ⇥ � , ⇥ � ⇥ � , ⇥ ⇥ � ⇥ � , ⇥ � { P } e { Q } ⇥ � , ⇥ w = Ad { h ⌥ Heap | rnk ( h ) > 0 ⌃ w | = rnk ( h ) � 1 { � P ⇥ � , ⇥ } � e ⇥ � { � Q ⇥ � , ⇥ }} Definition 15 (Rank of a heap) . If h is a compact element of Heap , then the least n for which π n ( h ) = h is the rank of h , abbreviated rnk ( h ), otherwise the rank is undefined. | { } { } ⇧ A triple holds approximately up to level k , w | = k { p } d { q } , if w | = { p } π k ; d ; π k { q } . p } d { q } provides indeed an approximation of the judgem at w | = { p } c { q } is equivalent to 8 k 2 ω . w | = k { p } c { q } . n +1 needs to be non-expansive in semantics of P and Q needs to be non-expansive in the world w (to be in Pred) 24

Deep Frame Rule {{ || } � } ⌅ ⌅ Lemma 4. There exists a non-expansive map ⌃ : W ⇤ W W and a map ⇧ : Pred ⇤ W Pred that is non-expansive in its first and contractive in its second argument, satisfying q ⌃ r = ι ( ι � 1 ( q ) ⇧ r ⌅ ι � 1 ( r )) and p ⇧ r = λ w.p ( r ⌃ w ) for all p ↵ Pred and q, r ↵ W . These are recursively defined operations which exist by Banach’s fixpoint theorem. 25