Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hoare logic for higher order store using simple semantics Billiejoe (Nathaniel) Charlton University of Sussex WoLLIC 2011.

Published bySabina Dorsey Modified over 8 years ago

Similar presentations

Presentation on theme: "Hoare logic for higher order store using simple semantics Billiejoe (Nathaniel) Charlton University of Sussex WoLLIC 2011."— Presentation transcript:

1 Hoare logic for higher order store using simple semantics Billiejoe (Nathaniel) Charlton University of Sussex WoLLIC 2011

2 Outline What is higher order store (HOS)? -introduce a minimal programming language with HOS

3 Outline What is higher order store (HOS)? -introduce a minimal programming language with HOS Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005) -Look at a correctness proof for a small program

4 Outline What is higher order store (HOS)? -introduce a minimal programming language with HOS Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005) -Look at a correctness proof for a small program Point out some disagreeable things about Reus and Streicher’s logic -These stem from the unnecessary use of domain theory

5 Outline What is higher order store (HOS)? -introduce a minimal programming language with HOS Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005) -Look at a correctness proof for a small program Point out some disagreeable things about Reus and Streicher’s logic -These stem from the unnecessary use of domain theory Give a simpler alternative construction which addresses these issues -“Get a better logic for less work”

6 What is higher order store? A programming language is said to feature HOS when: a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs

7 What is higher order store? A programming language is said to feature HOS when: a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs So HOS programs can modify their own code while running

8 What is higher order store? A programming language is said to feature HOS when: a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs So HOS programs can modify their own code while running Where does HOS occur? -in functional languages with mutable state e.g. ML -dynamic loading and unloading of code e.g. plugins -“hot update” – updating a program while it is running -runtime code generation

9 A minimal language with HOS

10 Quote turns a command, unexecuted, into a value which can be stored

11 A minimal language with HOS Quote turns a command, unexecuted, into a value which can be stored run command is used to invoke commands which were stored previously

12 This program sets up a non-terminating recursion: Example HOS programs

13 This program sets up a non-terminating recursion: This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications) Example HOS programs

14 This program sets up a non-terminating recursion: This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications) Example HOS programs

15 This program sets up a non-terminating recursion: This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications) Here we store in x a command which will overwrite itself when run: Example HOS programs

16 This program sets up a non-terminating recursion: This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications) Here we store in x a command which will overwrite itself when run: Example HOS programs

17 Reus and Streicher’s logic Boils down to three new proof rules to deal with HOS (ICALP, 2005). Main judgement used in proofs: If k = 0 write. Let mean and. Context consisting of a bunch of assumptions; each assumption is a Hoare triple Hoare triple which holds in the given context

18 Proof rules for HOS R = “Run”: Used when we know exactly which code we are going to invoke

19 Proof rules for HOS H = “Hypothesis”: Allows us to use a hypothesis, from the context, about how some code works (p is an auxiliary variable)

20 Proof rules for HOS mu for (mutual) recursion: when proving that C and D “work”, we can assume that recursive invocations of C and D “work”!

21 An example proof Define: Then the following program searches for a square root of m:

22 An example proof Define: Then the following program searches for a square root of m:

23 An example proof Define: Then the following program searches for a square root of m:

24 An example proof Define: Then the following program searches for a square root of m:

25 An example proof Define: Then the following program searches for a square root of m:

26 An example proof Define: Then the following program searches for a square root of m:

27 An example proof Define: Then the following program searches for a square root of m:

28 An example proof Now we need to use the mu rule to deal with the recursion

29 An example proof This is the instance to use: Now we need to use the mu rule to deal with the recursion

30 An example proof This is the instance to use: Now we need to use the mu rule to deal with the recursion To finish, we must prove the premises...

31 Finishing the proof

32

33

34 This is an instance of the H rule so we are done.

35 Reus and Streicher (ICALP, 2005) proved rules R, H and mu sound. Their model looks like this: These equations are recursive so domain theory is used Semantics using domain theory

36 Disagreeable aspects of existing work However some things are not so nice: 1.Semantic setup is (relatively) complicated, due to domain theory

37 Disagreeable aspects of existing work However some things are not so nice: 1.Semantic setup is (relatively) complicated, due to domain theory 2.Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts

38 Disagreeable aspects of existing work However some things are not so nice: 1.Semantic setup is (relatively) complicated, due to domain theory 2.Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts 3.All three new rules have inexplicable “downwards closure” side-conditions (not shown in this talk) where the domain theory leaks out into the logic

39 Disagreeable aspects of existing work However some things are not so nice: 1.Semantic setup is (relatively) complicated, due to domain theory 2.Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts 3.All three new rules have inexplicable “downwards closure” side-conditions (not shown in this talk) where the domain theory leaks out into the logic 4.Adding non-deterministic program statements breaks the theory

40 Disagreeable aspects of existing work However some things are not so nice: 1.Semantic setup is (relatively) complicated, due to domain theory 2.Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts 3.All three new rules have inexplicable “downwards closure” side-conditions (not shown in this talk) where the domain theory leaks out into the logic 4.Adding non-deterministic program statements breaks the theory 5.Testing syntactic equality between commands is not allowed

41 Disagreeable aspects of existing work However some things are not so nice: 1.Semantic setup is (relatively) complicated, due to domain theory 2.Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts 3.All three new rules have inexplicable “downwards closure” side-conditions (not shown in this talk) where the domain theory leaks out into the logic 4.Adding non-deterministic program statements breaks the theory 5.Testing syntactic equality between commands is not allowed Rest of this talk:Fix these issues with a simple construction.

42 Stores and environments (for auxiliary variables) have simple types: (Syntactic) commands encoded using a bijection Evaluation of expressions: Simpler semantics

43 Small-step execution relation for commands: Simpler semantics

44 Small-step execution relation for commands: Simpler semantics

45 Small-step execution relation for commands: Read integer value from the store, decode it back into a syntactic command, and run Simpler semantics

46 Assertions:

47 Interpretation is completely standard

48 Assertions: Interpretation is completely standard Interpretation of Hoare triples: means: in environment rho, any completed execution of e starting in a P-state, and containing n or fewer steps, ends in a Q-state.

49 Assertions: Interpretation is completely standard Interpretation of Hoare triples: Formally: means: in environment rho, any completed execution of e starting in a P-state, and containing n or fewer steps, ends in a Q-state.

50 Main judgement used in proofs:

51 ...then this triple holdsIf these triples hold...

52 Main judgement used in proofs:...then this triple holds for executions of n steps or fewer If these triples hold... for executions of n - 1 steps or fewer

53 Main judgement used in proofs:...then this triple holds for executions of n steps or fewer If these triples hold... for executions of n - 1 steps or fewer

54 Soundness of proof rules

55 Suppose that (1) Need to prove that

56 Soundness of proof rules Suppose that (1) Need to prove that So let be such that in n steps or fewer.

57 Soundness of proof rules Suppose that (1) Need to prove that So let be such that in n steps or fewer.

58 Soundness of proof rules Suppose that (1) Need to prove that So let be such that in n steps or fewer. We must have where

59 Soundness of proof rules Suppose that (1) Need to prove that So let be such that in n steps or fewer. We must have where To finish we can apply (1) to suffix which has length n – 1

60 Soundness of proof rules Proof is by induction on length of execution sequence. Define: Inductive step requires proving Give or take some fiddling with variables, the premise says this! Roughly, “C and D work correctly for n steps”

61 Summary Explained an existing Hoare logic for reasoning about a minimal language with HOS -This logic has some disagreeable aspects, stemming from the unnecessary use of domain theory

62 Summary Explained an existing Hoare logic for reasoning about a minimal language with HOS -This logic has some disagreeable aspects, stemming from the unnecessary use of domain theory Gave a simpler alternative construction which addresses these issues “Get a better logic for less work”

63 Summary Explained an existing Hoare logic for reasoning about a minimal language with HOS -This logic has some disagreeable aspects, stemming from the unnecessary use of domain theory Gave a simpler alternative construction which addresses these issues “Get a better logic for less work” 1. Semantic setup, and thus soundness proofs, are simple 2. Proof rules do not have inexplicable side-conditions 3. Non-deterministic program statements are supported 4. Testing syntactic equality between commands is permitted

64 The End

Download ppt "Hoare logic for higher order store using simple semantics Billiejoe (Nathaniel) Charlton University of Sussex WoLLIC 2011."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Types and Programming Languages Lecture 4 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Types and Programming Languages Lecture 4 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 10.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 10.
In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.
Computer Science CPSC 322 Lecture 25 Top Down Proof Procedure (Ch 5.2.2)

Computer Science CPSC 322 Lecture 25 Top Down Proof Procedure (Ch 5.2.2)
Introduction to Proofs

Introduction to Proofs
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Formal reasoning about runtime code update Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus HotSWUp 2011.

Formal reasoning about runtime code update Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus HotSWUp 2011.
Induction and Recursion. Odd Powers Are Odd Fact: If m is odd and n is odd, then nm is odd. Proposition: for an odd number m, m k is odd for all non-negative.

Induction and Recursion. Odd Powers Are Odd Fact: If m is odd and n is odd, then nm is odd. Proposition: for an odd number m, m k is odd for all non-negative.
Time Bounds for General Function Pointers Robert Dockins and Aquinas Hobor (Princeton University) (NUS) TexPoint fonts used in EMF. Read the TexPoint manual.

Time Bounds for General Function Pointers Robert Dockins and Aquinas Hobor (Princeton University) (NUS) TexPoint fonts used in EMF. Read the TexPoint manual.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages

CS 355 – Programming Languages
Advanced Package Concepts. 2 home back first prev next last What Will I Learn? Write packages that use the overloading feature Write packages that use.

Advanced Package Concepts. 2 home back first prev next last What Will I Learn? Write packages that use the overloading feature Write packages that use.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Recursive Definitions Rosen, 3.4. Recursive (or inductive) Definitions Sometimes easier to define an object in terms of itself. This process is called.

Recursive Definitions Rosen, 3.4. Recursive (or inductive) Definitions Sometimes easier to define an object in terms of itself. This process is called.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Semantics with Applications Mooly Sagiv Schrirber 317 03-640-7606 html://www.cs.tau.ac.il/~msagiv/courses/sem08.html Textbooks:Winskel The.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Formal Aspects of Computer Science – Week 12 RECAP Lee McCluskey, room 2/07

Formal Aspects of Computer Science – Week 12 RECAP Lee McCluskey, room 2/07
EE1J2 – Discrete Maths Lecture 5 Analysis of arguments (continued) More example proofs Formalisation of arguments in natural language Proof by contradiction.

EE1J2 – Discrete Maths Lecture 5 Analysis of arguments (continued) More example proofs Formalisation of arguments in natural language Proof by contradiction.
Mathematical Induction

Mathematical Induction

Similar presentations

Ads by Google