Nested Hoare Triples and Frame Rules for Higher-order Store

More documents

Recommendations

Info

EvalNonRec1Γ ⊢{P ∗ e ↦→ ∀y. {P } {Q}}‘eval [e]’{Q ∗ x ↦→ ∀y. {P } {Q}}EvalNonRecUpdΓ ⊢{P ∗ e ↦→ ∀y. {P ∗ e ↦→ } {Q}}‘eval [e]’{Q}EvalRec(where R = (e ↦→ ∀y. {P } {Q} ∗ P0) ⊗ R)Γ ⊢{P ◦ R}‘eval [e]’{Q ◦ R}Fig. 4. Derived rules from EvalHere the actual code C is specified explicitly in the pre- and post-conditions ofthe triple. In both rules the intuition is that the premise states that the body ofthe recursive procedure fulfils the triple, under the assumption that the recursivecall does so as well. In the Eval rule this is done without direct reference to thecode itself, but rather via a k satisfying R. The soundness proof of OldEvalproceeded along the lines of Pitts’ method for establishing relational propertiesof domains [10]. On the other hand, Eval relies on the availability of recursiveassertions, the existence of which is guaranteed by Banach’s fixpoint theorem.From the Eval rule one can easily derive the axioms of Fig. 4. The first twoaxioms are for non-recursive calls. This can be seen from the fact that in thepre-condition of the nested triples e does not appear at all or does not have aspecification, respectively. Only the third axiom EvalRec allows for recursivecalls. The idea of this axiom is that one assumes that the code in [e] fulfills therequired triple provided the code that e points to at call-time fulfils the triple aswell. Let us look at the actual derivation of EvalRec to make this evident. Wewrite S[k] ≡ ∀y.{P ◦ R}k{Q ◦ R} such that for the original R of rule EvalRecwe have R ⇔ (e ↦→ S[ ] ∗ (P 0 ⊗ R)). Note that Γ contains the variables y whichmay appear freely in P and Q.FOLΓ, k ⊢ (∀y.{P ◦ R}k{Q ◦ R}) ⇒{P ◦ R}k{Q ◦ R}ConseqΓ, k ⊢ S[k] ⇒{(P ⊗ R) ∗ (P 0 ⊗ R) ∗ e ↦→ S[ ]}k{Q ◦ R}EvalΓ ⊢{(P ⊗ R) ∗ (P 0 ⊗ R) ∗ e ↦→ S[ ]}‘eval [e]’{Q ◦ R}ConseqΓ ⊢{P ◦ R}‘eval [e]’{Q ◦ R}In the derivation tree above, the axiom used at the top is simply a first-order axiomfor ∀ elimination. The quantified variables y are substituted by the variableswith the same name from the context. After an application of the EvalRec rulethose variables y can then be substituted further.The use of recursive specification R = (e ↦→ ∀y.{P } {Q}∗P 0 )⊗R is essentialhere as it allows us to unroll the definition so that the Eval rule can be applied.Note that in the logic of [5], which also uses nested triples but features neithera specification logic nor expresses any frame rules or axioms, such recursivespecifications are avoided. This is possible under the assumption that code doesnot change during recursion. One can then express the recursive R above as
⊗-FrameΓ ⊢ PΓ ⊢ P ⊗ R∗-FrameΓ ⊢{P }e{Q} ⇒{P ∗ R}e{Q ∗ R}EvalΓ, k ⊢ R[k] ⇒{P ∗ e ↦→ R[ ]}k{Q}Γ ⊢{P ∗ e ↦→ R[ ]}‘eval [e]’{Q}Fig. 5. Proof rules specific to higher-order storefollows (we can omit the P 0 now, as this is only needed for mutually recursivelydefined triples):e ↦→{e ↦→ k ∗ P }k{e ↦→ k ∗ Q}.The question however remains how the assertion can be proved for some concrete‘C’ in [e]. In loc.cit. this is done by an induction on some appropriate argument,as total correctness is considered only. Note that our old OldEval can be viewedas a fixpoint induction rule for proving such specifications, if one quantifiesaway the concrete appearances of ‘C’. In any case, our new Eval is obviouslyelegant to use, and it does not only allow for recursion through the store butalso disentangles the reasoning from the concrete code stored in the heap.Before finishing this section, we summarize a particular choice of a proofruleset from the current and previous subsections in Fig. 5. They will be provedsound in Section 4.4 Semantics of Nested TriplesThis section develops a model for the programming language and logic we havepresented. The semantics of programs, given in the next subsection using anuntyped domain-theoretic model, is standard. The following semantics of thelogic is, however, unusual; it is a possible world semantics where the worldslive in a recursively defined metric space. Finally, we discuss the existence ofrecursively defined assertions, which have been used in the previous sections.Semantics of expressions and commands The interpretation of the programminglanguage is given in the category Cppo ⊥ of pointed cpos and strictcontinuous functions, and is the same as in our previous work [2]. That is, commandsdenote strict continuous functions C η∈ Heap ⊸ T err (Heap) whereHeap = Rec(Val) Val = Integers ⊥ ⊕ Com ⊥ Com = Heap ⊸ T err (Heap) (1)In these equations, T err (D) = D⊕{error} ⊥ denotes the error monad, and Rec(D)denotes records with entries from D and labelled by positive natural numbers. 4We use some evident record notations, such as {|l 1 =d 1 , . . . , l n =d n |} for the recordmapping label l i to d i , and dom(r) for the set of labels of a record r. Thedisjointness predicate r#r ′ on records holds if r and r ′ are not ⊥ and havedisjoint domains, and a continuous partial combining operation r·r ′ is defined byr · r ′ def= if r#r ′ then r ∪ r ′ else (if r=⊥ ∨ r ′ =⊥ then ⊥ else undefined).4 Formally, Rec(D) = `P N⊆ fin Nats(N→D + ↓ )´where (N→D ⊥↓) is the cpo of mapsfrom the finite address set N to the cpo D ↓ = D−{⊥} of non-bottom elements of D.
Page 1 and 2: Nested Hoare Triples and Frame Rule
Page 3 and 4: d ∈ Exp ::= 0 | −1 | 1 | . . .
Page 5 and 6: DerefΓ, x ⊢ {P ∗ e ↦→ x}
Page 7: However, since −1 is not even an
Page 11 and 12: and satisfies the strong triangle i
Page 13 and 14: true ηw = HeapP ∧ Q ηw = P ηw
Page 15 and 16: and has a unique fixed point, r. Gi
Page 17 and 18: fixed point theorem. More precisely
Page 19 and 20: Since w = n w ′ , we have ι −1
Page 21 and 22: {P }e{Q} ηw ′ . We distinguish t
Page 23 and 24: A.3 Soundness of standard rules fro
Page 25: Since Ad(p ′ ) is a downward-clos

Nested Hoare Triples and Frame Rules for Higher-order Store

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?