Soundness of Higher-order Frame Rules (How did category theory help me?) Hongseok Yang Seoul National University Joint work with Lars Birkedal and Noah Torp-Smith IT University, Copenhagen, Denmark

Toy Memory Manager alloc x = if (f=nil) then x:=new() else x:=f; f:=[f] free x = [x]:=f; f:=x alloc x free x Memory_Manager f nil A client can use the memory manager directly or indirectly. wrapper x = alloc x. alloc x ;[x]:=0 iclient x = wrapper x. wrapper x ;y:=x Can we hide list f from a client-side reasoning, for all direct and indirect clients?

Higher-order Frame Rule Second-order Frame Rule (AKA Hypothetical Frame Rule) {emp}alloc x {x -} ` {P}wrapper x (alloc x ){Q} {emp*lst f}alloc x {(x -)*lst f} ` {P*lst f}wrapper x (alloc x ){Q*lst f} Third-order Frame Rule ( 8 alloc x. {emp}alloc x {x -} ) {P}wrapper x (alloc x ){Q} ) ` {A}iClient x (wrapper x ){B} 8 alloc x. {emp*lst f}alloc x {x -*lst f} ) {P*lst f}wrapper x (alloc x ){Q*lst f} ` {A*lst f}iClient x (wrapper x ){B*lst f}

Goal of this Talk If we want to have the second-order frame, we need to be careful: when the rule is added to separation logic, the logic becomes faulty. Need to give up the conjunction rule. Question: what about the other higher-order rules? Answer: we can have them as long as we give up the conjunction rule. The goal of this talk is to see how the category theory can help us to get this answer.

Predicates s,t,… 2 States = Ints ! fin Nats a,b,p,q,… 2 Preds = P(States) Heap combining operator o: s o t = s [ tif dom(s) Å dom(t) = {} undefined otherwise Separating conjunction *: p*q = {s o t | s 2 p, t 2 q, dom(s) Å dom(t)={} } E.g. { [1 ! 0] } * { [1 ! 2], [3 ! 9] } = { [1 ! 0, 3 ! 9] }

Specified Programs Specification Types: ::= {P}-{Q} | £ | ! Typing Rules with Specification Types: x: ` M : ` x.M : ! ` M : ! ` N : ` M N : ` M : {p}-{q} ` M : {p*r}-{q*r} ` M : {p}-{q} ! {a}-{b} ` M : {p*r}-{q*r} ! {a*r}-{b*r} ` M : [{p}-{q} ! {a}-{b}] ! {c}-{d} ` M : [{p*r}-{q*r} ! {a*r}-{b*r}] ! {c*r}-{d*r} 2 nd -order Frame Rule 1 st -order Frame Rule 3 rd -order Frame Rule ! Intro ! Elim

Original Question, More Precisely Does the type system make a sense? ` skip : {p}-{false} only if p = false. Find a semantics for specified programs s.t. the interpretation of commands must coincide with the operational semantics. The most difficult part is to interpret higher- order functions correctly. The interpretation must validate, laws. The category theory tells what such an interpretation is.

Knowledge on Category Theory List of things to know to understand this talk: Category Functor Product Exponential Natural Transformation Functor Category Presheaf Category

Knowledge on Category Theory List of things to know to understand this talk: Category : Poset Functor : Monotone Function Product : Meet Exponential : Implication Natural Transformation : Order for Mono. Fns. Functor Category : Poset of Mono. Fns. Presheaf Category : No match This means that the talk is extremely hard to understand!

Basic Category Theory A category specifies an abstract typed programming language. A category consists of four kinds of data: objects X,Y,Z,…; typed morphisms f:X ! Y, g:Y ! Z, h:Z ! V; identity morphism id X :X ! X for each object X; and composition g o f for matching morphisms f and g such that o is associative and has id as an identity: (h o g) o f = h o (g o f) and (id o f) = (f o id) = f.

Example Categories Set: objects: sets morphisms: typed functions identity, and composition: usual ones. Preds: objects: predicates morphisms: p · q iff 9 r. p*r = q.

Categorical Semantics of a Typed Programming Language To give a categorical semantics of a language, 1. pick a category C; 2. interpret a type as an object in C; and 3. interpret a typed term as a morphism in C: « x: ` M: ¬ is a morphism from « ¬ to « ¬. Then, check whether the interpretation is good: 1. Coincide with the operational semantics? 2. Validate reasoning princinples? Picking a good C is the most important.

Good Category C for Our Goal Requirements for C: 1. C must validate the higher-order frame rules. 2. C must validate the, laws. We use a presheaf category C for this goal. 1. The higher-order frame rules can be built in C. 2. C always validates the, laws.

Functor A functor F:C ! D maps objects in C to objects in D, and morphisms in C to morphisms in D such that F preserves all data: typing of morphisms, identity, and composition. F:C ! D specifies a parameterized type: objects in C: possible parameters morphisms in C: subtyping between parameters

Natural Transformation A natural transformation :F ! G:C ! D maps each object X in C to a morphism X :F(X) ! G(X) such that for all f:X ! Y in C, specifies a parameterized program. X is instantiated with the parameter X. The condition says that comes from a single program. F(X) F(f) F(Y)G(Y) G(X) G(f) X Y

Category Set Preds Category Set Preds consists of the following data: object: functor from Preds to Sets morphism: natural transformation between such functors Question: what are identity and composition? In Set Preds, a functor means a parameterized set, and a nat. trans. a parameterized function. The parameter represents the modules internal state (especially, an invariant for it).

Interpretation in Set Preds « ¬ is a functor from Preds to Set. « k: ` M: ¬ is a natural trans. from « ¬ to « ¬. A program x in « ¬ a can internally access cells in a, but maintains the invariant a. Example: « {p}-{q} ¬ a = { f:p*a*T ! q*a*T | …… } « {p}-{q} ¬ (a · b)(f) = f| p*b

Interpretation of Higher-order Types Category theory says: in order to have, laws, « ! ¬ must be the exponential « ¬)« ¬ ; « £ ¬ must be the product of « ¬£« ¬. Category theory also gives the definition of exponential and product. « ! ¬ a = { 2 a · b ( « ¬ b !« ¬ b) | for all c ¸ b ¸ a, } « ¬ (b) b c « ¬ (c) « ¬ (b · c) « ¬ (b) « ¬ (b · c)

Higher-order Frame Rule Categorically, a higher-order frame rule means that for all F,G in Set Preds, : F(-) ! F(r*-) : {p}-{q}(r*-) ' {p*r}-{q*r}(-) : (F £ G)(r*-) ' F(r*-) £ G(r*-) : (F ) G)(r*-) ' (F(r*-) ) G(r*-)) exist. In Set Preds, all exist, but is not isomorphism. In our actual model, we used reflexive graph categories, and showed the existence of all above.

Conclusion How did the category theory help me? It taught me how I should interpret functions and pairs correctly. It made precise what I meant by higher-order frame rules and their soundness.