Nested Hoare Triples and Frame Rules for Higher-order Store

More documents

Recommendations

Info

clear that (p ◦ q) ◦ r = 0 p ◦ (q ◦ r) holds for all p, q, r ∈ W . For the inductive stepn > 0, by definition of the distance function on Pred it suffices to show that forall w ∈ W , ι −1 ((p ◦ q) ◦ r)(w) n−1= ι −1 (p ◦ (q ◦ r))(w). Suppose w ∈ W , thenι −1 ((p ◦ q) ◦ r)(w) = ι −1 (p ◦ q)(r ◦ w) ∗ ι −1 (r)(w)= ι −1 (p)(q ◦ (r ◦ w)) ∗ ι −1 (q)(r ◦ w) ∗ ι −1 (r)(w)= ι −1 (p)(q ◦ (r ◦ w)) ∗ ι −1 (q ◦ r)(w)n−1= ι −1 (p)((q ◦ r) ◦ w) ∗ ι −1 (q ◦ r)(w)= ι −1 (p ◦ (q ◦ r))(w)using the induction hypothesis in the fourth equation.That ⊗ forms an action of W on Pred follows from these properties of ◦:first, p ⊗ emp = λw.p(emp ◦ w) = p since emp is a unit for ◦, and(p ⊗ q) ⊗ r = λw.p(q ◦ (r ◦ w)) = λw.p((q ◦ r) ◦ w) = p ⊗ (q ◦ r)by the associativity of ◦.⊓⊔Since there is a closure applied to the post-condition of semantic triples, butno similar closure used in the pre-condition, it is not immediately clear how tocompose commands. The following characterisation permits the proof for therule of sequential composition.Lemma 15 (Closure). If f:D ⊸ D ′ is a strict continuous function, q ⊆ D ′ isan admissible and downwards closed subset of D ′ , and p ⊆ D is an arbitrarysubset of D, then f(p) ⊆ q implies f(Ad(p)) ⊆ q.Proof. Since f is continuous, the pre-image f −1 (q) of q is admissible and downwardclosed. From the assumption that f(p) ⊆ q it follows that p ⊆ f −1 (q), andthus Ad(p) ⊆ f −1 (q) as the former is by definition the least admissible and downwardclosed subset of D containing p. Thus, if h ∈ Ad(p) then f(h) ∈ q. ⊓⊔Lemma 16 (Admissibility and downward closure of semantic triples).Assume w ∈ W and p, q ∈ Pred. Then the set {c ∈ Com | w |= {p}c{q}} is anadmissible and downward closed subset of Com.Proof. Both properties follow from the definition of w |={p}c{q}, specificallyfrom the respective properties of the closure applied in the post-condition. ⊓⊔Lemma 17 (Non-expansiveness of semantic triples). Assume w, w ′ ∈ Wand let n>0 s.t. w n =w ′ . If w |={p}c{q}, then w ′ |={p}c ′ {q} for c ′ def= π n−1 ◦ c ◦ π n−1 .Proof. Assume w = n w ′ , and let p, q ∈ Pred and c : Heap ⊸ T err (Heap) suchthat w |={p}c{q}. To show that w ′ |={p}c ′ {q} for c ′ (h) = defπ n−1 (c(π n−1 (h))), letr ∈ UAdm and h ∈ Heap such that h ∈ p(w ′ ) ∗ ι −1 (w ′ )(emp) ∗ r. We must provethat c ′ (h) ∈ Ad(q(w ′ ) ∗ ι −1 (w ′ )(emp) ∗ r).
Since w = n w ′ , we have ι −1 (w ′ )(emp) n−1= ι −1 (w)(emp). Hence, by thenon-expansiveness of p and the compatibility of ∗ with projections, we haveπ n−1 (h) ∈ p(w) ∗ ι −1 (w)(emp) ∗ r. By the assumption that w |= {p}c{q}, thisyields c(π n−1 (h)) ∈ Ad(q(w)∗ι −1 (w)(emp)∗r). Using the non-expansiveness of q,the uniformity of r, and the fact that ι −1 (w)(emp) n−1= ι −1 (w ′ )(emp) again, weknow that π n−1 (h ′ ) ∈ q(w ′ )∗ι −1 (w ′ )(emp)∗r whenever h ′ ∈ q(w)∗ι −1 (w)(emp)∗r. Thus π n−1 (c(π n−1 (h))) ∈ Ad(q(w ′ ) ∗ ι −1 (w ′ )(emp) ∗ r) by Lemma 15 and thecontinuity of π n−1 . This was to show.⊓⊔Lemma 18 (Heyting BI algebra). Let I = {{||}, ⊥}. Then (UAdm, ⊆, ∗, I)is a complete BI algebra. That is, (UAdm, ⊆) is a residuated complete Heytingalgebra with a (monotone) commutative monoid structure (UAdm, ∗, I) and the∗ operator also has the corresponding residuation operator.Proof. Since admissibility and uniformity are preserved by arbitrary intersections,UAdm is a complete lattice, with meets given by set-theoretic intersection,least element {⊥} and greatest element Heap. Binary joins are given byset-theoretic union, and arbitrary joins by ⊔ i p i = ⋂ {p ∈ UAdm | p ⊇ ⋃ i p i}.The join is described more explicitly as ⊔ i p i = {h | ∀n ∈ ω. π n (h) ∈ ⋃ i p i}.First, note that the right hand side r = def{h | ∀n ∈ ω. π n (h) ∈ ⋃ i p i} is anelement of UAdm: r is uniform, i.e., h ∈ r implies π m (h) ∈ r for all m ∈ ω, sinceπ n · π m = π min{n,m} . To show that r is also admissible suppose h 0 ⊑ h 1 ⊑ . . . isa chain in r, and let h be the lub of this chain. We must show that π n (h) ∈ ⋃ i p ifor all n ∈ ω. By compactness, π n (h) ⊑ h k ⊑ h for some k, and hence π n (h) =π n (h k ) ∈ ⋃ p i using the idempotency of π n and the fact that h k ∈ r. To seethe inclusion r ⊆ ⊔ i p i, note that for all h, if π n (h) ∈ ⋃ i p i ⊆ p for all n ∈ ωand some arbitrary p ∈ UAdm, then also h = ⊔ n π n (h) ∈ p by admissibility, andhence h ∈ ⊔ i p i follows. For the other inclusion, we claim that the right handside r = def{h | ∀n ∈ ω. π n (h) ∈ ⋃ i p i} is one of the elements appearing in theintersection; from this claim it is immediate that r ⊇ ⊔ i p i. The claim followssince r ⊇ ⋃ i p i by the uniformity of the p i ’s.The implication of this complete lattice UAdm is described by p ⇒ q def={h | ∀n ∈ ω. if π n (h) ∈ p then π n (h) ∈ q}: Using π n · π m = π min{n,m} it is easyto see that p ⇒ q is uniform. Admissibility follows analogously to the case ofjoins: if h 0 ⊑ h 1 ⊑ . . . is a chain in p ⇒ q with lub h, and if n ∈ ω is such thatπ n (h) ∈ p then we must show that π n (h) ∈ q. Since π n (h) ⊑ h is compact, thereis some k such that π n (h) ⊑ h k ⊑ h, and thus the required π n (h) = π n (h k ) ∈ qfollows from h k ∈ p ⇒ q. Next, to see that p ⇒ q is indeed the implicationin UAdm, first note that we have p ∩ (p ⇒ q) ⊆ q, using the uniformity of pand the admissibility of q. If p ∩ r ⊆ q for some r ∈ UAdm, and h ∈ r andπ n (h) ∈ p for some n ∈ ω, then the uniformity of r yields π n (h) ∈ q. Thus weobtain p ∩ r ⊆ q ⇔ r ⊆ p ⇒ q.That ∗ is an operation on UAdm is established in the proof of Lemma 12. Itis easy to check that ∗ is commutative and associative and that it is monotone,i.e., if p ⊆ p ′ and q ⊆ q ′ then p ∗ q ⊆ p ′ ∗ q ′ . Moreover, we have I ∈ UAdm, and
Page 1 and 2: Nested Hoare Triples and Frame Rule
Page 3 and 4: d ∈ Exp ::= 0 | −1 | 1 | . . .
Page 5 and 6: DerefΓ, x ⊢ {P ∗ e ↦→ x}
Page 7 and 8: However, since −1 is not even an
Page 9 and 10: ⊗-FrameΓ ⊢ PΓ ⊢ P ⊗ R∗-
Page 11 and 12: and satisfies the strong triangle i
Page 13 and 14: true ηw = HeapP ∧ Q ηw = P ηw
Page 15 and 16: and has a unique fixed point, r. Gi
Page 17: fixed point theorem. More precisely
Page 21 and 22: {P }e{Q} ηw ′ . We distinguish t
Page 23 and 24: A.3 Soundness of standard rules fro
Page 25: Since Ad(p ′ ) is a downward-clos

Nested Hoare Triples and Frame Rules for Higher-order Store

Create successful ePaper yourself

Delete template?

Save as template?