SLIDE 1
FACULTY OF SCIENCE
Bart Jacobs
Contents
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.1/52
Structuring Computations Structuring Computations Contents Jacobs - - PowerPoint PPT Presentation
Structuring Computations Structuring Computations Contents Jacobs - - PowerPoint PPT Presentation
FACULTY OF SCIENCE Bart Jacobs Structuring Computations Structuring Computations Contents Jacobs Types06, 18/4/06 p.1/52 Structuring Computations Contents I. Sneak preview VII. Hoare logic for JML II. Comonads VIII. Conclusions
SLIDE 2
SLIDE 3
Contents
Structuring Computations
- I. Sneak preview
- II. Comonads
- III. Arrows
- IV. Monads, also for
Java
- V. Java verification
- VI. Static checking
- VII. Hoare logic for JML
- VIII. Conclusions
Jacobs – Types’06, 18/4/’06 – p.1/52
SLIDE 4
Contents
Structuring Computations
- I. Sneak preview
- II. Comonads
- III. Arrows
- IV. Monads, also for
Java
- V. Java verification
- VI. Static checking
- VII. Hoare logic for JML
- VIII. Conclusions
No explicit message; some type/object-related topics that I like; and you too, hopefully!
Jacobs – Types’06, 18/4/’06 – p.1/52
SLIDE 5
- I. Sneak preview
Jacobs – Types’06, 18/4/’06 – p.2/52
SLIDE 6
Purely functional programs
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.3/52
SLIDE 7
Purely functional programs
Structuring Computations
Writing X for the type of inputs, Y for outputs . . .
Jacobs – Types’06, 18/4/’06 – p.3/52
SLIDE 8
Purely functional programs
Structuring Computations
Writing X for the type of inputs, Y for outputs . . . . . . a functional program from X to Y is simply a function X
Y
Jacobs – Types’06, 18/4/’06 – p.3/52
SLIDE 9
Imperative, state-based programs
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.4/52
SLIDE 10
Imperative, state-based programs
Structuring Computations
Writing S for the type of states . . .
Jacobs – Types’06, 18/4/’06 – p.4/52
SLIDE 11
Imperative, state-based programs
Structuring Computations
Writing S for the type of states . . . . . . an imperative program is: X × S
Y × S
Jacobs – Types’06, 18/4/’06 – p.4/52
SLIDE 12
Imperative, state-based programs
Structuring Computations
Writing S for the type of states . . . . . . an imperative program is: X × S
Y × S
Or, equivalently, X
(Y × S)S
Jacobs – Types’06, 18/4/’06 – p.4/52
SLIDE 13
Imperative, state-based programs
Structuring Computations
Writing S for the type of states . . . . . . an imperative program is: X × S
Y × S
Or, equivalently, X
(Y × S)S
Involving the State Monad Y − → (Y × S)S
Jacobs – Types’06, 18/4/’06 – p.4/52
SLIDE 14
Reactive, stream-based programs
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.5/52
SLIDE 15
Reactive, stream-based programs
Structuring Computations
A reactive program is: XN
Y N
Jacobs – Types’06, 18/4/’06 – p.5/52
SLIDE 16
Reactive, stream-based programs
Structuring Computations
A reactive program is: XN
Y N
Or, equivalently, XN × N
Y
Jacobs – Types’06, 18/4/’06 – p.5/52
SLIDE 17
Reactive, stream-based programs
Structuring Computations
A reactive program is: XN
Y N
Or, equivalently, XN × N
Y
Involving the Stream Comonad X − → XN × N
Jacobs – Types’06, 18/4/’06 – p.5/52
SLIDE 18
Quantum program
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.6/52
SLIDE 19
Quantum program
Structuring Computations
A possible quantum program is: X × X
[0, 1](Y ×Y )
Jacobs – Types’06, 18/4/’06 – p.6/52
SLIDE 20
Quantum program
Structuring Computations
A possible quantum program is: X × X
[0, 1](Y ×Y )
It is a “superoperator” on “density matrices” (or quantum states)—after Vizotto, Altenkirch, Sabry
Jacobs – Types’06, 18/4/’06 – p.6/52
SLIDE 21
Quantum program
Structuring Computations
A possible quantum program is: X × X
[0, 1](Y ×Y )
It is a “superoperator” on “density matrices” (or quantum states)—after Vizotto, Altenkirch, Sabry It forms an example of an Arrow: computations with unit and composition.
Jacobs – Types’06, 18/4/’06 – p.6/52
SLIDE 22
Overview
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.7/52
SLIDE 23
Overview
Structuring Computations
- Functional: X −
→ Y
Jacobs – Types’06, 18/4/’06 – p.7/52
SLIDE 24
Overview
Structuring Computations
- Functional: X −
→ Y
- Imperative: X −
→ T(Y ), with T monad (including Java programs)
Jacobs – Types’06, 18/4/’06 – p.7/52
SLIDE 25
Overview
Structuring Computations
- Functional: X −
→ Y
- Imperative: X −
→ T(Y ), with T monad (including Java programs)
- Reactive: G(X) −
→ Y , with G comonad
Jacobs – Types’06, 18/4/’06 – p.7/52
SLIDE 26
Overview
Structuring Computations
- Functional: X −
→ Y
- Imperative: X −
→ T(Y ), with T monad (including Java programs)
- Reactive: G(X) −
→ Y , with G comonad
- Quantum: A(X, Y ), with A “arrow”
Jacobs – Types’06, 18/4/’06 – p.7/52
SLIDE 27
- II. Comonads
Jacobs – Types’06, 18/4/’06 – p.8/52
SLIDE 28
Comonads for computations
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.9/52
SLIDE 29
Comonads for computations
Structuring Computations
- Monads are well-established in functional
programming & language semantics
Jacobs – Types’06, 18/4/’06 – p.9/52
SLIDE 30
Comonads for computations
Structuring Computations
- Monads are well-established in functional
programming & language semantics
- But little attention for the dual notion of
comonad . . .
Jacobs – Types’06, 18/4/’06 – p.9/52
SLIDE 31
Comonads for computations
Structuring Computations
- Monads are well-established in functional
programming & language semantics
- But little attention for the dual notion of
comonad . . .
- . . . until Uustalu & Vene recently used them
for structuring reactive/dataflow programming—building on Brookes & Geva
Jacobs – Types’06, 18/4/’06 – p.9/52
SLIDE 32
Comonads for computations
Structuring Computations
- Monads are well-established in functional
programming & language semantics
- But little attention for the dual notion of
comonad . . .
- . . . until Uustalu & Vene recently used them
for structuring reactive/dataflow programming—building on Brookes & Geva
- Slogan: monads structure output,
comonads structure input
Jacobs – Types’06, 18/4/’06 – p.9/52
SLIDE 33
Comonad structure
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.10/52
SLIDE 34
Comonad structure
Structuring Computations
- Categorically: endofunctor G: C → C with
two natural transformations ε: G ⇒ Id and δ: G ⇒ G2 satisfying standard equations
Jacobs – Types’06, 18/4/’06 – p.10/52
SLIDE 35
Comonad structure
Structuring Computations
- Categorically: endofunctor G: C → C with
two natural transformations ε: G ⇒ Id and δ: G ⇒ G2 satisfying standard equations
- Computationally: Type operator G with
- coreturn : GX −
→ X
- cobind : (GX → Y ) −
→ (GX → GY ) satisfying suitable equations
Jacobs – Types’06, 18/4/’06 – p.10/52
SLIDE 36
Comonad structure
Structuring Computations
- Categorically: endofunctor G: C → C with
two natural transformations ε: G ⇒ Id and δ: G ⇒ G2 satisfying standard equations
- Computationally: Type operator G with
- coreturn : GX −
→ X
- cobind : (GX → Y ) −
→ (GX → GY ) satisfying suitable equations
- Logically: structure for weakening and
contraction (like bang ! in linear logic)
Jacobs – Types’06, 18/4/’06 – p.10/52
SLIDE 37
Comonad example
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.11/52
SLIDE 38
Comonad example
Structuring Computations
- Mapping X −
→ XN × N
Jacobs – Types’06, 18/4/’06 – p.11/52
SLIDE 39
Comonad example
Structuring Computations
- Mapping X −
→ XN × N
- Input streams with past / current / future:
x0, x1, . . . , xn−1, xn , xn+1, xn+2, . . .
Jacobs – Types’06, 18/4/’06 – p.11/52
SLIDE 40
Comonad example
Structuring Computations
- Mapping X −
→ XN × N
- Input streams with past / current / future:
x0, x1, . . . , xn−1, xn , xn+1, xn+2, . . .
- Counit / coreturn: XN × N −
→ X (α, n) − → α(n)
Jacobs – Types’06, 18/4/’06 – p.11/52
SLIDE 41
Comonad example
Structuring Computations
- Mapping X −
→ XN × N
- Input streams with past / current / future:
x0, x1, . . . , xn−1, xn , xn+1, xn+2, . . .
- Counit / coreturn: XN × N −
→ X (α, n) − → α(n)
- Delta: XN × N −
→ (XN × N)N × N (α, n) − → (λm: N. (α, m), n)
Jacobs – Types’06, 18/4/’06 – p.11/52
SLIDE 42
coKleisli category of computations
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.12/52
SLIDE 43
coKleisli category of computations
Structuring Computations
- coKleisli maps XN × N −
→ Y form a category
Jacobs – Types’06, 18/4/’06 – p.12/52
SLIDE 44
coKleisli category of computations
Structuring Computations
- coKleisli maps XN × N −
→ Y form a category
- Identity via coreturn; composition via
delta/cobind
Jacobs – Types’06, 18/4/’06 – p.12/52
SLIDE 45
coKleisli category of computations
Structuring Computations
- coKleisli maps XN × N −
→ Y form a category
- Identity via coreturn; composition via
delta/cobind
- Gives output in Y for completely given input
stream of X’s
Jacobs – Types’06, 18/4/’06 – p.12/52
SLIDE 46
coKleisli category of computations
Structuring Computations
- coKleisli maps XN × N −
→ Y form a category
- Identity via coreturn; composition via
delta/cobind
- Gives output in Y for completely given input
stream of X’s
- Basis for dataflow calculus by Uustalu &
Vene (like in Lustre, Lucid)
Jacobs – Types’06, 18/4/’06 – p.12/52
SLIDE 47
Discrete time signals
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.13/52
SLIDE 48
Discrete time signals
Structuring Computations
Three basic comonads:
Jacobs – Types’06, 18/4/’06 – p.13/52
SLIDE 49
Discrete time signals
Structuring Computations
Three basic comonads: X⋆ × X XN × N
causality no future
- anti-causality
no past
XN (α(0),...,α(n−1),α(n)) (α,n)
- λm. α(n+m)
Jacobs – Types’06, 18/4/’06 – p.13/52
SLIDE 50
Discrete time signals
Structuring Computations
Three basic comonads: X⋆ × X XN × N
causality no future
- anti-causality
no past
XN (α(0),...,α(n−1),α(n)) (α,n)
- λm. α(n+m)
with “comonad homomorphisms” between them
Jacobs – Types’06, 18/4/’06 – p.13/52
SLIDE 51
Continuous time signals
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.14/52
SLIDE 52
Continuous time signals
Structuring Computations
Analogues fundamental diagram of comonads:
Jacobs – Types’06, 18/4/’06 – p.14/52
SLIDE 53
Continuous time signals
Structuring Computations
Analogues fundamental diagram of comonads:
- t∈[0,∞)
X[0,t) × X X[0,∞) × [0, ∞)
- X[0,∞)
Jacobs – Types’06, 18/4/’06 – p.14/52
SLIDE 54
Continuous time signals
Structuring Computations
Analogues fundamental diagram of comonads:
- t∈[0,∞)
X[0,t) × X X[0,∞) × [0, ∞)
- X[0,∞)
where:
- t∈[0,∞)
X[0,t) × X ∼ =
- t∈[0,∞)
X[0,t] ∼ = X[0,1] × [0, ∞)
Jacobs – Types’06, 18/4/’06 – p.14/52
SLIDE 55
- III. Arrows
Jacobs – Types’06, 18/4/’06 – p.15/52
SLIDE 56
Arrow overview
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.16/52
SLIDE 57
Arrow overview
Structuring Computations
- Introduced in Haskell by Hughes in 2000, as
common interface extending monads (parser as main example)
Jacobs – Types’06, 18/4/’06 – p.16/52
SLIDE 58
Arrow overview
Structuring Computations
- Introduced in Haskell by Hughes in 2000, as
common interface extending monads (parser as main example)
- Binary type operation A(−, +) with three
- perations: arr, >
> >, first.
Jacobs – Types’06, 18/4/’06 – p.16/52
SLIDE 59
Arrow overview
Structuring Computations
- Introduced in Haskell by Hughes in 2000, as
common interface extending monads (parser as main example)
- Binary type operation A(−, +) with three
- perations: arr, >
> >, first.
- Folklore claim: Arrows are Freyd categories
(Power & Robinson’99)
Jacobs – Types’06, 18/4/’06 – p.16/52
SLIDE 60
Arrow overview
Structuring Computations
- Introduced in Haskell by Hughes in 2000, as
common interface extending monads (parser as main example)
- Binary type operation A(−, +) with three
- perations: arr, >
> >, first.
- Folklore claim: Arrows are Freyd categories
(Power & Robinson’99)
- Recently substantiated by first describing
arrows as monoids in a category of bifunctors Cop × C → Sets
Jacobs – Types’06, 18/4/’06 – p.16/52
SLIDE 61
Arrow in Haskell
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.17/52
SLIDE 62
Arrow in Haskell
Structuring Computations
Introduced as type class:
Jacobs – Types’06, 18/4/’06 – p.17/52
SLIDE 63
Arrow in Haskell
Structuring Computations
Introduced as type class:
class Arrow A where arr :: (X → Y ) → A X Y (> > >) :: A X Y → A Y Z → A X Z first :: A X Y → A (X, Z) (Y, Z)
Jacobs – Types’06, 18/4/’06 – p.17/52
SLIDE 64
Arrow in Haskell
Structuring Computations
Introduced as type class:
class Arrow A where arr :: (X → Y ) → A X Y (> > >) :: A X Y → A Y Z → A X Z first :: A X Y → A (X, Z) (Y, Z)
Which should satisfy 8 equations, such as: (a > > > b) > > > c = a > > > (b > > > c) a > > > arr(1) = a first(arr(f)) = arr(f × 1), etc
Jacobs – Types’06, 18/4/’06 – p.17/52
SLIDE 65
Arrow examples
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.18/52
SLIDE 66
Arrow examples
Structuring Computations
- (X, Y ) −
→ (X → T(Y )), for T monad (X, Y ) − → (G(X) → Y ), for G comonad
Jacobs – Types’06, 18/4/’06 – p.18/52
SLIDE 67
Arrow examples
Structuring Computations
- (X, Y ) −
→ (X → T(Y )), for T monad (X, Y ) − → (G(X) → Y ), for G comonad
- (X, Y ) −
→ (X × X → [0, 1](Y ×Y )) for quantum computation
Jacobs – Types’06, 18/4/’06 – p.18/52
SLIDE 68
Arrow examples
Structuring Computations
- (X, Y ) −
→ (X → T(Y )), for T monad (X, Y ) − → (G(X) → Y ), for G comonad
- (X, Y ) −
→ (X × X → [0, 1](Y ×Y )) for quantum computation
- (X, Y ) −
→ (XN → P(Y N)) for “non-deterministic dataflow”
Jacobs – Types’06, 18/4/’06 – p.18/52
SLIDE 69
Arrow examples
Structuring Computations
- (X, Y ) −
→ (X → T(Y )), for T monad (X, Y ) − → (G(X) → Y ), for G comonad
- (X, Y ) −
→ (X × X → [0, 1](Y ×Y )) for quantum computation
- (X, Y ) −
→ (XN → P(Y N)) for “non-deterministic dataflow”
- (X, Y ) −
→ (2 × S⋆)× ((S⋆ × X) → (1 + (S⋆ × Y ))) for Swierstra-Duponcheel parser that motivated Hughes
Jacobs – Types’06, 18/4/’06 – p.18/52
SLIDE 70
Arrows, categorically
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.19/52
SLIDE 71
Arrows, categorically
Structuring Computations
- A is functorial: for f: X′ → X and g: Y → Y ′,
A(X, Y ) A(f, g)
A(X′, Y ′)
a
arr(f) >
> > a > > > arr(g)
Jacobs – Types’06, 18/4/’06 – p.19/52
SLIDE 72
Arrows, categorically
Structuring Computations
- A is functorial: for f: X′ → X and g: Y → Y ′,
A(X, Y ) A(f, g)
A(X′, Y ′)
a
arr(f) >
> > a > > > arr(g)
- arr: (+)(−) → A(−, +) is natural
transformation (natro, for short)
Jacobs – Types’06, 18/4/’06 – p.19/52
SLIDE 73
Arrows, categorically
Structuring Computations
- A is functorial: for f: X′ → X and g: Y → Y ′,
A(X, Y ) A(f, g)
A(X′, Y ′)
a
arr(f) >
> > a > > > arr(g)
- arr: (+)(−) → A(−, +) is natural
transformation (natro, for short)
- >
> > is natro A ⊗ A → A, for tensor product of distributors / profunctors
Jacobs – Types’06, 18/4/’06 – p.19/52
SLIDE 74
Arrows, categorically
Structuring Computations
- A is functorial: for f: X′ → X and g: Y → Y ′,
A(X, Y ) A(f, g)
A(X′, Y ′)
a
arr(f) >
> > a > > > arr(g)
- arr: (+)(−) → A(−, +) is natural
transformation (natro, for short)
- >
> > is natro A ⊗ A → A, for tensor product of distributors / profunctors
- first corresponds to “internal strength”
Jacobs – Types’06, 18/4/’06 – p.19/52
SLIDE 75
Excurs: monoid in a category
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.20/52
SLIDE 76
Excurs: monoid in a category
Structuring Computations
- Standardly, a monoid is a set M with
associative m: M × M → M and two-sided unit e: 1 → M
Jacobs – Types’06, 18/4/’06 – p.20/52
SLIDE 77
Excurs: monoid in a category
Structuring Computations
- Standardly, a monoid is a set M with
associative m: M × M → M and two-sided unit e: 1 → M
- Can be formulated in category with finite
products (1, ×): equations become diagrams
Jacobs – Types’06, 18/4/’06 – p.20/52
SLIDE 78
Excurs: monoid in a category
Structuring Computations
- Standardly, a monoid is a set M with
associative m: M × M → M and two-sided unit e: 1 → M
- Can be formulated in category with finite
products (1, ×): equations become diagrams
- No projections/diagonals needed: also in
monoidal category with (I, ⊗). Eg. M ⊗ M m M ⊗ I 1 ⊗ e
- M
- ∼
=
- ∼
= I ⊗ Me ⊗ 1
M ⊗ M
m
- M
M
Jacobs – Types’06, 18/4/’06 – p.20/52
SLIDE 79
Excurs: monads are monoids
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.21/52
SLIDE 80
Excurs: monads are monoids
Structuring Computations
- The functor category CC is monoidal:
F ⊗ G = F ◦ G I = Id
Jacobs – Types’06, 18/4/’06 – p.21/52
SLIDE 81
Excurs: monads are monoids
Structuring Computations
- The functor category CC is monoidal:
F ⊗ G = F ◦ G I = Id
- A monoid in CC is a functor M: C → C with
natros: M ⊗ M µ
M
Id η
- M ◦ M
satisfying the monoid equations
Jacobs – Types’06, 18/4/’06 – p.21/52
SLIDE 82
Excurs: monads are monoids
Structuring Computations
- The functor category CC is monoidal:
F ⊗ G = F ◦ G I = Id
- A monoid in CC is a functor M: C → C with
natros: M ⊗ M µ
M
Id η
- M ◦ M
satisfying the monoid equations
- A monoid in CC is precisely a monad!
Jacobs – Types’06, 18/4/’06 – p.21/52
SLIDE 83
Arrows are also monoids
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.22/52
SLIDE 84
Arrows are also monoids
Structuring Computations
- Arrows are monoids in category of bifunctors
Cop × C → Sets
Jacobs – Types’06, 18/4/’06 – p.22/52
SLIDE 85
Arrows are also monoids
Structuring Computations
- Arrows are monoids in category of bifunctors
Cop × C → Sets
- Tensor ⊗ more complicated, with
exponentiation/hom as unit
Jacobs – Types’06, 18/4/’06 – p.22/52
SLIDE 86
Arrows are also monoids
Structuring Computations
- Arrows are monoids in category of bifunctors
Cop × C → Sets
- Tensor ⊗ more complicated, with
exponentiation/hom as unit
- Allows for precise comparison with Freyd
categories (bijective correspondence)
Jacobs – Types’06, 18/4/’06 – p.22/52
SLIDE 87
Arrows are also monoids
Structuring Computations
- Arrows are monoids in category of bifunctors
Cop × C → Sets
- Tensor ⊗ more complicated, with
exponentiation/hom as unit
- Allows for precise comparison with Freyd
categories (bijective correspondence)
- Details in Heunen & Jacobs, MFPS’06.
Jacobs – Types’06, 18/4/’06 – p.22/52
SLIDE 88
Arrows, intuitively
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.23/52
SLIDE 89
Arrows, intuitively
Structuring Computations
- Most fundamental mathematical structure in
computing?
Jacobs – Types’06, 18/4/’06 – p.23/52
SLIDE 90
Arrows, intuitively
Structuring Computations
- Most fundamental mathematical structure in
computing?
- Monoid (A, ; , skip) of programs/actions
A ∈ Sets with sequential composition
Jacobs – Types’06, 18/4/’06 – p.23/52
SLIDE 91
Arrows, intuitively
Structuring Computations
- Most fundamental mathematical structure in
computing?
- Monoid (A, ; , skip) of programs/actions
A ∈ Sets with sequential composition
- Adding input and output makes A(−, +)
binary operator
Jacobs – Types’06, 18/4/’06 – p.23/52
SLIDE 92
Arrows, intuitively
Structuring Computations
- Most fundamental mathematical structure in
computing?
- Monoid (A, ; , skip) of programs/actions
A ∈ Sets with sequential composition
- Adding input and output makes A(−, +)
binary operator
- Hence carrier A becomes bifunctor
Cop × C → Sets
Jacobs – Types’06, 18/4/’06 – p.23/52
SLIDE 93
Arrows, intuitively
Structuring Computations
- Most fundamental mathematical structure in
computing?
- Monoid (A, ; , skip) of programs/actions
A ∈ Sets with sequential composition
- Adding input and output makes A(−, +)
binary operator
- Hence carrier A becomes bifunctor
Cop × C → Sets
- Keeping the monoid structure leads to
Hughes’ Arrow
Jacobs – Types’06, 18/4/’06 – p.23/52
SLIDE 94
- IV. Monads
Jacobs – Types’06, 18/4/’06 – p.24/52
SLIDE 95
Monad overview
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.25/52
SLIDE 96
Monad overview
Structuring Computations
- Introduced by Moggi (1991), popularised in
functional programming by Wadler
Jacobs – Types’06, 18/4/’06 – p.25/52
SLIDE 97
Monad overview
Structuring Computations
- Introduced by Moggi (1991), popularised in
functional programming by Wadler
- for structuring outputs / computational effects
Jacobs – Types’06, 18/4/’06 – p.25/52
SLIDE 98
Monad overview
Structuring Computations
- Introduced by Moggi (1991), popularised in
functional programming by Wadler
- for structuring outputs / computational effects
- Standard examples:
- lift / maybe 1 + (−)
- exception E + (−)
- list (−)⋆
- state (− × S)S
- non-determinism P (powerset)
- probability D (distribution)
Jacobs – Types’06, 18/4/’06 – p.25/52
SLIDE 99
Java monad
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.26/52
SLIDE 100
Java monad
Structuring Computations
- Definition [Jacobs & Poll’03]:
J(X) = (1 + S × X + S × E)S
Jacobs – Types’06, 18/4/’06 – p.26/52
SLIDE 101
Java monad
Structuring Computations
- Definition [Jacobs & Poll’03]:
J(X) = (1 + S × X + S × E)S
- Combination of state, lift, exception monad
Jacobs – Types’06, 18/4/’06 – p.26/52
SLIDE 102
Java monad
Structuring Computations
- Definition [Jacobs & Poll’03]:
J(X) = (1 + S × X + S × E)S
- Combination of state, lift, exception monad
- Actual “abnormal” termination in Java more
complicated: exceptions, return, break, continue
Jacobs – Types’06, 18/4/’06 – p.26/52
SLIDE 103
Java monad
Structuring Computations
- Definition [Jacobs & Poll’03]:
J(X) = (1 + S × X + S × E)S
- Combination of state, lift, exception monad
- Actual “abnormal” termination in Java more
complicated: exceptions, return, break, continue
- Exception mechanism (plus logic)
axiomatised as equaliser by [Schröder & Mossakowski]
Jacobs – Types’06, 18/4/’06 – p.26/52
SLIDE 104
Kleisli composition for Java monad
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.27/52
SLIDE 105
Kleisli composition for Java monad
Structuring Computations
- Kleisli composition for J is “argument
evaluation, before use” (and not sequential composition ; )
Jacobs – Types’06, 18/4/’06 – p.27/52
SLIDE 106
Kleisli composition for Java monad
Structuring Computations
- Kleisli composition for J is “argument
evaluation, before use” (and not sequential composition ; )
- For a: X → J(Y ), and p: Y → J(Z),
p • a = λx: X. λs: S. CASES a x s OF ∗ − → ∗ // non-termination (s′, y) − → p y s′ // normal termination (s′, e) − → (s′, e) // except. termination
Jacobs – Types’06, 18/4/’06 – p.27/52
SLIDE 107
- V. Java program verification
(at Nijmegen)
Jacobs – Types’06, 18/4/’06 – p.28/52
SLIDE 108
Developments
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.29/52
SLIDE 109
Developments
Structuring Computations
- Original focus: theorem proving for small
Java programs (for smart cards)
Jacobs – Types’06, 18/4/’06 – p.29/52
SLIDE 110
Developments
Structuring Computations
- Original focus: theorem proving for small
Java programs (for smart cards)
- Outcome:
- No scaling beyond couple of pages
- Practical experience, formalisations &
deeper theory
Jacobs – Types’06, 18/4/’06 – p.29/52
SLIDE 111
Developments
Structuring Computations
- Original focus: theorem proving for small
Java programs (for smart cards)
- Outcome:
- No scaling beyond couple of pages
- Practical experience, formalisations &
deeper theory
- Shift of focus:
- Extension to security properties (esp.
confidentiality)
- Static checking primary, theorem proving
secondary
Jacobs – Types’06, 18/4/’06 – p.29/52
SLIDE 112
JML: Java Modeling Language
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.30/52
SLIDE 113
JML: Java Modeling Language
Structuring Computations
JML [Leavens et al.] adds specifications as special comments in Java code, mainly for:
Jacobs – Types’06, 18/4/’06 – p.30/52
SLIDE 114
JML: Java Modeling Language
Structuring Computations
JML [Leavens et al.] adds specifications as special comments in Java code, mainly for:
- Class invariants and constraints
Jacobs – Types’06, 18/4/’06 – p.30/52
SLIDE 115
JML: Java Modeling Language
Structuring Computations
JML [Leavens et al.] adds specifications as special comments in Java code, mainly for:
- Class invariants and constraints
- Method specifications:
/*@ behavior @ requires <precondition> @ assignable <items that may be modified> @ diverges <precondition for non-termination> @ ensures <postcond for normal termination> @ signals <postcond for exceptional @ termination> @*/ void method() { ... }
Jacobs – Types’06, 18/4/’06 – p.30/52
SLIDE 116
JML: example
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.31/52
SLIDE 117
JML: example
Structuring Computations
JML method specifications may clarify the behaviour of Java methods:
Jacobs – Types’06, 18/4/’06 – p.31/52
SLIDE 118
JML: example
Structuring Computations
JML method specifications may clarify the behaviour of Java methods:
int f(int x) { int count = 0, sum = 1; while (sum <= x) { count++; sum += 2 * count + 1; } return count;
}
Jacobs – Types’06, 18/4/’06 – p.31/52
SLIDE 119
JML: example
Structuring Computations
JML method specifications may clarify the behaviour of Java methods:
/*@ normal_behavior @ requires x >= 0; @ assignable \nothing; @ ensures \result * \result <= x && @ x < (\result+1) * (\result+1); @*/ int f(int x) { int count = 0, sum = 1; while (sum <= x) { count++; sum += 2 * count + 1; } return count;
}
Jacobs – Types’06, 18/4/’06 – p.31/52
SLIDE 120
LOOP project
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.32/52
SLIDE 121
LOOP project
Structuring Computations
- LOOP tool: compiles Java+JML to PVS
Jacobs – Types’06, 18/4/’06 – p.32/52
SLIDE 122
LOOP project
Structuring Computations
- LOOP tool: compiles Java+JML to PVS
- Based on formalised semantics of Java+JML
in PVS
Jacobs – Types’06, 18/4/’06 – p.32/52
SLIDE 123
LOOP project
Structuring Computations
- LOOP tool: compiles Java+JML to PVS
- Based on formalised semantics of Java+JML
in PVS
- Including Hoare logic (see later) &
WP-reasoner (all with provably sound rules)
Jacobs – Types’06, 18/4/’06 – p.32/52
SLIDE 124
LOOP project
Structuring Computations
- LOOP tool: compiles Java+JML to PVS
- Based on formalised semantics of Java+JML
in PVS
- Including Hoare logic (see later) &
WP-reasoner (all with provably sound rules)
- Used for several non-trivial case studies, but
now in “sleep mode”
Jacobs – Types’06, 18/4/’06 – p.32/52
SLIDE 125
LOOP project
Structuring Computations
- LOOP tool: compiles Java+JML to PVS
- Based on formalised semantics of Java+JML
in PVS
- Including Hoare logic (see later) &
WP-reasoner (all with provably sound rules)
- Used for several non-trivial case studies, but
now in “sleep mode”
- Static checking is simply more effective;
theorem proving best for difficult left-overs.
Jacobs – Types’06, 18/4/’06 – p.32/52
SLIDE 126
- VI. Static Checking for Java
Jacobs – Types’06, 18/4/’06 – p.33/52
SLIDE 127
ESC/Java and ESC/Java2
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.34/52
SLIDE 128
ESC/Java and ESC/Java2
Structuring Computations
Extended static checker: original ESC/Java by Leino et. al at Compaq, but no longer supported.
Jacobs – Types’06, 18/4/’06 – p.34/52
SLIDE 129
ESC/Java and ESC/Java2
Structuring Computations
Extended static checker: original ESC/Java by Leino et. al at Compaq, but no longer supported.
- tries to prove correctness of specifications,
at compile-time, fully automatically
Jacobs – Types’06, 18/4/’06 – p.34/52
SLIDE 130
ESC/Java and ESC/Java2
Structuring Computations
Extended static checker: original ESC/Java by Leino et. al at Compaq, but no longer supported.
- tries to prove correctness of specifications,
at compile-time, fully automatically
- not sound, not complete, but finds lots of
potential bugs quickly
Jacobs – Types’06, 18/4/’06 – p.34/52
SLIDE 131
ESC/Java and ESC/Java2
Structuring Computations
Extended static checker: original ESC/Java by Leino et. al at Compaq, but no longer supported.
- tries to prove correctness of specifications,
at compile-time, fully automatically
- not sound, not complete, but finds lots of
potential bugs quickly
- Original ESC/Java only supports a (not fully
compatible) subset of full JML
Jacobs – Types’06, 18/4/’06 – p.34/52
SLIDE 132
ESC/Java and ESC/Java2
Structuring Computations
Extended static checker: original ESC/Java by Leino et. al at Compaq, but no longer supported.
- tries to prove correctness of specifications,
at compile-time, fully automatically
- not sound, not complete, but finds lots of
potential bugs quickly
- Original ESC/Java only supports a (not fully
compatible) subset of full JML
- New ESC/Java2 is open source, compatible
and handles more (eg. assignable clauses).
Jacobs – Types’06, 18/4/’06 – p.34/52
SLIDE 133
ESC/Java “demo”
Structuring Computations
class Bag { int[] a; int n; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex = i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }
Jacobs – Types’06, 18/4/’06 – p.35/52
SLIDE 134
ESC/Java “demo”
Structuring Computations
class Bag { int[] a; int n; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex = i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }
Warning: possible null deference. Plus other warnings
Jacobs – Types’06, 18/4/’06 – p.36/52
SLIDE 135
ESC/Java “demo”
Structuring Computations
class Bag { int[] a; //@ invariant a != null; int n; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex = i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }
Jacobs – Types’06, 18/4/’06 – p.37/52
SLIDE 136
ESC/Java “demo”
Structuring Computations
class Bag { int[] a; //@ invariant a != null; int n; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex = i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }
Warning: Array index possibly too large
Jacobs – Types’06, 18/4/’06 – p.38/52
SLIDE 137
ESC/Java “demo”
Structuring Computations
class Bag { int[] a; //@ invariant a != null; int n; //@ invariant 0 <= n && n <= a.length; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex = i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }
Jacobs – Types’06, 18/4/’06 – p.39/52
SLIDE 138
ESC/Java “demo”
Structuring Computations
class Bag { int[] a; //@ invariant a != null; int n; //@ invariant 0 <= n && n <= a.length; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex = i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }
Warning: Array index possibly too large
Jacobs – Types’06, 18/4/’06 – p.40/52
SLIDE 139
ESC/Java “demo”
Structuring Computations
class Bag { int[] a; //@ invariant a != null; int n; //@ invariant 0 <= n && n <= a.length; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex = i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }
Jacobs – Types’06, 18/4/’06 – p.41/52
SLIDE 140
ESC/Java “demo”
Structuring Computations
class Bag { int[] a; //@ invariant a != null; int n; //@ invariant 0 <= n && n <= a.length; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex = i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }
Warning: Possible negative array index
Jacobs – Types’06, 18/4/’06 – p.42/52
SLIDE 141
ESC/Java “demo”
Structuring Computations
class Bag { int[] a; //@ invariant a != null; int n; //@ invariant 0 <= n && n <= a.length; //@ requires n > 0; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex = i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }
Jacobs – Types’06, 18/4/’06 – p.43/52
SLIDE 142
ESC/Java “demo”
Structuring Computations
class Bag { int[] a; //@ invariant a != null; int n; //@ invariant 0 <= n && n <= a.length; //@ requires n > 0; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex = i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }
No more warnings about this code
Jacobs – Types’06, 18/4/’06 – p.44/52
SLIDE 143
ESC/Java “demo”
Structuring Computations
class Bag { int[] a; //@ invariant a != null; int n; //@ invariant 0 <= n && n <= a.length; //@ requires n > 0; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex = i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }
. . . but warnings about calls to extractMin() that do not ensure precondition : design by contract
Jacobs – Types’06, 18/4/’06 – p.45/52
SLIDE 144
- VII. Hoare logic for JML
Jacobs – Types’06, 18/4/’06 – p.46/52
SLIDE 145
Hoare logic issues for Java & JML
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.47/52
SLIDE 146
Hoare logic issues for Java & JML
Structuring Computations
- Complications in Hoare logic for Java:
- exceptions and other abrupt control flow
- expressions may have side effects
Jacobs – Types’06, 18/4/’06 – p.47/52
SLIDE 147
Hoare logic issues for Java & JML
Structuring Computations
- Complications in Hoare logic for Java:
- exceptions and other abrupt control flow
- expressions may have side effects
- Thus:
- not Hoare triples but Hoare n-tuples,
- both for statements & expressions
Jacobs – Types’06, 18/4/’06 – p.47/52
SLIDE 148
Hoare Logic assertions
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.48/52
SLIDE 149
Hoare Logic assertions
Structuring Computations
For { Pre } m { Post } write
- requires = Pre
statement = m ensures = Post
- Jacobs – Types’06, 18/4/’06 – p.48/52
SLIDE 150
Hoare Logic assertions
Structuring Computations
For { Pre } m { Post } write
- requires = Pre
statement = m ensures = Post
- For JML one needs:
diverges = D requires = Pre statement = m ensures = Post signals = S
Jacobs – Types’06, 18/4/’06 – p.48/52
SLIDE 151
Hoare composition Rule
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.49/52
SLIDE 152
Hoare composition Rule
Structuring Computations
diverges = λx. b requires = Pre statement = s1 ensures = Q signals = S diverges = λx. b requires = Q statement = s2 ensures = Post signals = S diverges = λx. b requires = Pre statement = s1 ; s2 ensures = Post signals = S
Jacobs – Types’06, 18/4/’06 – p.49/52
SLIDE 153
Hoare composition Rule
Structuring Computations
diverges = λx. b requires = Pre statement = s1 ensures = Q signals = S diverges = λx. b requires = Q statement = s2 ensures = Post signals = S diverges = λx. b requires = Pre statement = s1 ; s2 ensures = Post signals = S Intermediate predicate provided by the user in JML
Jacobs – Types’06, 18/4/’06 – p.49/52
SLIDE 154
Use of the Hoare logic
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.50/52
SLIDE 155
Use of the Hoare logic
Structuring Computations
- Actual use seems clumsy, but PVS takes
care of the bookkeeping
Jacobs – Types’06, 18/4/’06 – p.50/52
SLIDE 156
Use of the Hoare logic
Structuring Computations
- Actual use seems clumsy, but PVS takes
care of the bookkeeping
- This logic forms basis for semantics of JML
Jacobs – Types’06, 18/4/’06 – p.50/52
SLIDE 157
- VIII. Conclusions
Jacobs – Types’06, 18/4/’06 – p.51/52
SLIDE 158
Main points
Structuring Computations
Jacobs – Types’06, 18/4/’06 – p.52/52
SLIDE 159
Main points
Structuring Computations
- There is mathematical uniformity & elegance
in the structure of computation
Jacobs – Types’06, 18/4/’06 – p.52/52
SLIDE 160
Main points
Structuring Computations
- There is mathematical uniformity & elegance
in the structure of computation
- Main notions: monad / comonad / arrow
Jacobs – Types’06, 18/4/’06 – p.52/52
SLIDE 161
Main points
Structuring Computations
- There is mathematical uniformity & elegance
in the structure of computation
- Main notions: monad / comonad / arrow
- This elegance is not completely lost in
concrete languages / systems
Jacobs – Types’06, 18/4/’06 – p.52/52
SLIDE 162
Main points
Structuring Computations
- There is mathematical uniformity & elegance
in the structure of computation
- Main notions: monad / comonad / arrow
- This elegance is not completely lost in
concrete languages / systems
- For our Java work: practice preceded theory
Jacobs – Types’06, 18/4/’06 – p.52/52
SLIDE 163
Main points
Structuring Computations
- There is mathematical uniformity & elegance
in the structure of computation
- Main notions: monad / comonad / arrow
- This elegance is not completely lost in
concrete languages / systems
- For our Java work: practice preceded theory
- Theorem proving cannot beat static checking
in program verification
Jacobs – Types’06, 18/4/’06 – p.52/52
SLIDE 164
Main points
Structuring Computations
- There is mathematical uniformity & elegance
in the structure of computation
- Main notions: monad / comonad / arrow
- This elegance is not completely lost in
concrete languages / systems
- For our Java work: practice preceded theory
- Theorem proving cannot beat static checking
in program verification Thanks for your attention!
Jacobs – Types’06, 18/4/’06 – p.52/52