640 likes | 790 Views
Billiejoe (Nathaniel) Charlton University of Sussex. Hoare logic for higher order store using simple semantics. WoLLIC 2011. Outline. What is higher order store (HOS) ? introduce a minimal programming language with HOS. Outline. What is higher order store (HOS) ?
E N D
Billiejoe (Nathaniel) Charlton University of Sussex Hoare logic for higher order store using simple semantics WoLLIC 2011
Outline • What is higher order store (HOS)? • introduce a minimal programming language with HOS
Outline • What is higher order store (HOS)? • introduce a minimal programming language with HOS • Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005) • Look at a correctness proof for a small program
Outline • What is higher order store (HOS)? • introduce a minimal programming language with HOS • Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005) • Look at a correctness proof for a small program • Point out some disagreeable things about Reus and Streicher’s logic • These stem from the unnecessary use of domain theory
Outline • What is higher order store (HOS)? • introduce a minimal programming language with HOS • Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005) • Look at a correctness proof for a small program • Point out some disagreeable things about Reus and Streicher’s logic • These stem from the unnecessary use of domain theory • Give a simpler alternative construction which addresses these issues • “Get a better logic for less work”
What is higher order store? • A programming language is said to feature HOS when: • a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs
What is higher order store? • A programming language is said to feature HOS when: • a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs • So HOS programs can modify their own code while running
What is higher order store? • A programming language is said to feature HOS when: • a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs • So HOS programs can modify their own code while running • Where does HOS occur? • in functional languages with mutable state e.g. ML • dynamic loading and unloading of code e.g. plugins • “hot update” – updating a program while it is running • runtime code generation
A minimal language with HOS Quote turns a command, unexecuted, into a value which can be stored
A minimal language with HOS Quote turns a command, unexecuted, into a value which can be stored run command is used to invoke commands which were stored previously
Example HOS programs • This program sets up a non-terminating recursion:
Example HOS programs • This program sets up a non-terminating recursion: • This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications)
Example HOS programs • This program sets up a non-terminating recursion: • This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications)
Example HOS programs • This program sets up a non-terminating recursion: • This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications) • Here we store in x a command which will overwrite itself when run:
Example HOS programs • This program sets up a non-terminating recursion: • This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications) • Here we store in x a command which will overwrite itself when run:
Reus and Streicher’s logic • Boils down to three new proof rules to deal with HOS (ICALP, 2005). • Main judgement used in proofs: • If k = 0 write . Let mean and . Context consisting of a bunch of assumptions; each assumption is a Hoare triple Hoare triple which holds in the given context
Proof rules for HOS R = “Run”: Used when we know exactly which code we are going to invoke
Proof rules for HOS H = “Hypothesis”: Allows us to use a hypothesis, from the context, about how some code works (p is an auxiliary variable)
Proof rules for HOS mu for (mutual) recursion: when proving that C and D “work”, we can assume that recursive invocations of C and D “work”!
An example proof Define: Then the following program searches for a square root of m:
An example proof Define: Then the following program searches for a square root of m:
An example proof Define: Then the following program searches for a square root of m:
An example proof Define: Then the following program searches for a square root of m:
An example proof Define: Then the following program searches for a square root of m:
An example proof Define: Then the following program searches for a square root of m:
An example proof Define: Then the following program searches for a square root of m:
An example proof Now we need to use the mu rule to deal with the recursion
An example proof Now we need to use the mu rule to deal with the recursion This is the instance to use:
An example proof Now we need to use the mu rule to deal with the recursion This is the instance to use: To finish, we must prove the premises...
Finishing the proof This is an instance of the H rule so we are done.
Semantics using domain theory • Reus and Streicher (ICALP, 2005) proved rules R, H and mu sound. • Theirmodel looks like this: • These equations are recursive so domain theory is used
Disagreeable aspects of existing work • However some things are not so nice: • Semantic setup is (relatively) complicated, due to domain theory
Disagreeable aspects of existing work • However some things are not so nice: • Semantic setup is (relatively) complicated, due to domain theory • Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts
Disagreeable aspects of existing work • However some things are not so nice: • Semantic setup is (relatively) complicated, due to domain theory • Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts • All three new rules have inexplicable “downwards closure” side-conditions (not shown in this talk) where the domain theory leaks out into the logic
Disagreeable aspects of existing work • However some things are not so nice: • Semantic setup is (relatively) complicated, due to domain theory • Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts • All three new rules have inexplicable “downwards closure” side-conditions (not shown in this talk) where the domain theory leaks out into the logic • Adding non-deterministic program statements breaks the theory
Disagreeable aspects of existing work • However some things are not so nice: • Semantic setup is (relatively) complicated, due to domain theory • Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts • All three new rules have inexplicable “downwards closure” side-conditions (not shown in this talk) where the domain theory leaks out into the logic • Adding non-deterministic program statements breaks the theory • Testing syntactic equality between commands is not allowed
Disagreeable aspects of existing work • However some things are not so nice: • Semantic setup is (relatively) complicated, due to domain theory • Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts • All three new rules have inexplicable “downwards closure” side-conditions (not shown in this talk) where the domain theory leaks out into the logic • Adding non-deterministic program statements breaks the theory • Testing syntactic equality between commands is not allowed • Rest of this talk: Fix these issues with a simple construction.
Simpler semantics • Stores and environments (for auxiliary variables) have simple types: • (Syntactic) commands encoded using a bijection • Evaluation of expressions:
Simpler semantics • Small-step execution relation for commands:
Simpler semantics • Small-step execution relation for commands:
Simpler semantics • Small-step execution relation for commands: Read integer value from the store, decode it back into a syntactic command, and run
Assertions: • Interpretation is completely standard
Assertions: • Interpretation is completely standard • Interpretation of Hoare triples: means: in environment rho, any completed execution of e starting in a P-state, and containing n or fewer steps, ends in a Q-state.
Assertions: • Interpretation is completely standard • Interpretation of Hoare triples: Formally: means: in environment rho, any completed execution of e starting in a P-state, and containing n or fewer steps, ends in a Q-state.