Hoare logic for higher order store using simple semantics
description
Transcript of Hoare logic for higher order store using simple semantics
![Page 1: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/1.jpg)
Hoare logic for higher order store using simple semantics
Billiejoe (Nathaniel) Charlton
University of Sussex
WoLLIC 2011
![Page 2: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/2.jpg)
Outline• What is higher order store (HOS)?
- introduce a minimal programming language with HOS
![Page 3: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/3.jpg)
Outline• What is higher order store (HOS)?
- introduce a minimal programming language with HOS
• Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005)- Look at a correctness proof for a small program
![Page 4: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/4.jpg)
Outline• What is higher order store (HOS)?
- introduce a minimal programming language with HOS
• Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005)- Look at a correctness proof for a small program
• Point out some disagreeable things about Reus and Streicher’s logic- These stem from the unnecessary use of domain theory
![Page 5: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/5.jpg)
Outline• What is higher order store (HOS)?
- introduce a minimal programming language with HOS
• Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005)- Look at a correctness proof for a small program
• Point out some disagreeable things about Reus and Streicher’s logic- These stem from the unnecessary use of domain theory
• Give a simpler alternative construction which addresses these issues- “Get a better logic for less work”
![Page 6: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/6.jpg)
What is higher order store?• A programming language is said to feature HOS when:
a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs
![Page 7: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/7.jpg)
What is higher order store?• A programming language is said to feature HOS when:
a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs
• So HOS programs can modify their own code while running
![Page 8: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/8.jpg)
What is higher order store?• A programming language is said to feature HOS when:
a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs
• So HOS programs can modify their own code while running
• Where does HOS occur?- in functional languages with mutable state e.g. ML- dynamic loading and unloading of code e.g. plugins- “hot update” – updating a program while it is running- runtime code generation
![Page 9: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/9.jpg)
A minimal language with HOS
![Page 10: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/10.jpg)
A minimal language with HOS
Quote turns a command, unexecuted, into a value which can be stored
![Page 11: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/11.jpg)
A minimal language with HOS
Quote turns a command, unexecuted, into a value which can be stored
run command is used to invoke commands which were stored previously
![Page 12: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/12.jpg)
• This program sets up a non-terminating recursion:
Example HOS programs
![Page 13: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/13.jpg)
• This program sets up a non-terminating recursion:
• This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications)
Example HOS programs
![Page 14: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/14.jpg)
• This program sets up a non-terminating recursion:
• This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications)
Example HOS programs
![Page 15: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/15.jpg)
• This program sets up a non-terminating recursion:
• This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications)
• Here we store in x a command which will overwrite itself when run:
Example HOS programs
![Page 16: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/16.jpg)
• This program sets up a non-terminating recursion:
• This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications)
• Here we store in x a command which will overwrite itself when run:
Example HOS programs
![Page 17: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/17.jpg)
Reus and Streicher’s logicBoils down to three new proof rules to deal with HOS (ICALP, 2005).
Main judgement used in proofs:
If k = 0 write . Let mean and .
Context consisting of a bunch of assumptions; each assumption is a Hoare triple
Hoare triple which holds in the given context
![Page 18: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/18.jpg)
Proof rules for HOS
R = “Run”:Used when we know exactly which code we are going to invoke
![Page 19: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/19.jpg)
Proof rules for HOS
H = “Hypothesis”:Allows us to use a hypothesis, from the context, about how some code works(p is an auxiliary variable)
![Page 20: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/20.jpg)
Proof rules for HOS
mu for (mutual) recursion: when proving that C and D “work”, we can assume that recursive invocations of C and D “work”!
![Page 21: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/21.jpg)
An example proofDefine:
Then the following program searches for a square root of m:
![Page 22: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/22.jpg)
An example proofDefine:
Then the following program searches for a square root of m:
![Page 23: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/23.jpg)
An example proofDefine:
Then the following program searches for a square root of m:
![Page 24: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/24.jpg)
An example proofDefine:
Then the following program searches for a square root of m:
![Page 25: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/25.jpg)
An example proofDefine:
Then the following program searches for a square root of m:
![Page 26: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/26.jpg)
An example proofDefine:
Then the following program searches for a square root of m:
![Page 27: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/27.jpg)
An example proofDefine:
Then the following program searches for a square root of m:
![Page 28: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/28.jpg)
An example proof
Now we need to use the mu rule to deal with the recursion
![Page 29: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/29.jpg)
An example proof
This is the instance to use:
Now we need to use the mu rule to deal with the recursion
![Page 30: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/30.jpg)
An example proof
This is the instance to use:
Now we need to use the mu rule to deal with the recursion
To finish, we must prove the premises...
![Page 31: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/31.jpg)
Finishing the proof
![Page 32: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/32.jpg)
Finishing the proof
![Page 33: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/33.jpg)
Finishing the proof
![Page 34: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/34.jpg)
Finishing the proof
This is an instance of the H rule so we are done.
![Page 35: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/35.jpg)
• Reus and Streicher (ICALP, 2005) proved rules R, H and mu sound.
• Their model looks like this:
• These equations are recursive so domain theory is used
Semantics using domain theory
![Page 36: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/36.jpg)
Disagreeable aspects of existing work
However some things are not so nice:
1. Semantic setup is (relatively) complicated, due to domain theory
![Page 37: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/37.jpg)
Disagreeable aspects of existing work
However some things are not so nice:
1. Semantic setup is (relatively) complicated, due to domain theory2. Thus soundness proofs are (relatively) complicated, depending on
domain-theoretic results by Andrew Pitts
![Page 38: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/38.jpg)
Disagreeable aspects of existing work
However some things are not so nice:
1. Semantic setup is (relatively) complicated, due to domain theory2. Thus soundness proofs are (relatively) complicated, depending on
domain-theoretic results by Andrew Pitts3. All three new rules have inexplicable “downwards closure”
side-conditions (not shown in this talk) where the domain theory leaks out into the logic
![Page 39: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/39.jpg)
Disagreeable aspects of existing work
However some things are not so nice:
1. Semantic setup is (relatively) complicated, due to domain theory2. Thus soundness proofs are (relatively) complicated, depending on
domain-theoretic results by Andrew Pitts3. All three new rules have inexplicable “downwards closure”
side-conditions (not shown in this talk) where the domain theory leaks out into the logic
4. Adding non-deterministic program statements breaks the theory
![Page 40: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/40.jpg)
Disagreeable aspects of existing work
However some things are not so nice:
1. Semantic setup is (relatively) complicated, due to domain theory2. Thus soundness proofs are (relatively) complicated, depending on
domain-theoretic results by Andrew Pitts3. All three new rules have inexplicable “downwards closure”
side-conditions (not shown in this talk) where the domain theory leaks out into the logic
4. Adding non-deterministic program statements breaks the theory5. Testing syntactic equality between commands is not allowed
![Page 41: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/41.jpg)
Disagreeable aspects of existing work
However some things are not so nice:
1. Semantic setup is (relatively) complicated, due to domain theory2. Thus soundness proofs are (relatively) complicated, depending on
domain-theoretic results by Andrew Pitts3. All three new rules have inexplicable “downwards closure”
side-conditions (not shown in this talk) where the domain theory leaks out into the logic
4. Adding non-deterministic program statements breaks the theory5. Testing syntactic equality between commands is not allowed
• Rest of this talk: Fix these issues with a simple construction.
![Page 42: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/42.jpg)
• Stores and environments (for auxiliary variables) have simple types:
• (Syntactic) commands encoded using a bijection
• Evaluation of expressions:
Simpler semantics
![Page 43: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/43.jpg)
• Small-step execution relation for commands:
Simpler semantics
![Page 44: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/44.jpg)
• Small-step execution relation for commands:
Simpler semantics
![Page 45: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/45.jpg)
• Small-step execution relation for commands:
Read integer value from the store,decode it back into a syntactic command, and run
Simpler semantics
![Page 46: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/46.jpg)
• Assertions:
![Page 47: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/47.jpg)
• Assertions:
• Interpretation is completely standard
![Page 48: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/48.jpg)
• Assertions:
• Interpretation is completely standard
• Interpretation of Hoare triples:
means: in environment rho, any completed execution of e starting in a P-state, and containing n or fewer steps, ends in a Q-state.
![Page 49: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/49.jpg)
• Assertions:
• Interpretation is completely standard
• Interpretation of Hoare triples:
Formally:
means: in environment rho, any completed execution of e starting in a P-state, and containing n or fewer steps, ends in a Q-state.
![Page 50: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/50.jpg)
• Main judgement used in proofs:
![Page 51: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/51.jpg)
• Main judgement used in proofs:
...then this triple holdsIf these triples hold...
![Page 52: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/52.jpg)
• Main judgement used in proofs:
...then this triple holdsfor executions of n steps or fewer
If these triples hold...for executions of n - 1 steps or fewer
![Page 53: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/53.jpg)
• Main judgement used in proofs:
...then this triple holdsfor executions of n steps or fewer
If these triples hold...for executions of n - 1 steps or fewer
![Page 54: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/54.jpg)
Soundness of proof rules
![Page 55: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/55.jpg)
Soundness of proof rules
Suppose that (1) Need to prove that
![Page 56: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/56.jpg)
Soundness of proof rules
Suppose that (1) Need to prove that
So let be such thatin n steps or fewer.
![Page 57: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/57.jpg)
Soundness of proof rules
Suppose that (1) Need to prove that
So let be such thatin n steps or fewer.
![Page 58: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/58.jpg)
Soundness of proof rules
Suppose that (1) Need to prove that
So let be such thatin n steps or fewer.
We must havewhere
![Page 59: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/59.jpg)
Soundness of proof rules
Suppose that (1) Need to prove that
So let be such thatin n steps or fewer.
We must havewhere
To finish we can apply (1) to suffixwhich has length n – 1
![Page 60: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/60.jpg)
Soundness of proof rules
Proof is by induction on length of execution sequence. Define:
Inductive step requires provingGive or take some fiddling with variables, the premise says this!
Roughly, “C and D work correctly for n steps”
![Page 61: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/61.jpg)
Summary• Explained an existing Hoare logic for reasoning about a minimal
language with HOS- This logic has some disagreeable aspects, stemming from the
unnecessary use of domain theory
![Page 62: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/62.jpg)
Summary• Explained an existing Hoare logic for reasoning about a minimal
language with HOS- This logic has some disagreeable aspects, stemming from the
unnecessary use of domain theory
• Gave a simpler alternative construction which addresses these issues“Get a better logic for less work”
![Page 63: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/63.jpg)
Summary• Explained an existing Hoare logic for reasoning about a minimal
language with HOS- This logic has some disagreeable aspects, stemming from the
unnecessary use of domain theory
• Gave a simpler alternative construction which addresses these issues“Get a better logic for less work”
1. Semantic setup, and thus soundness proofs, are simple2. Proof rules do not have inexplicable side-conditions3. Non-deterministic program statements are supported4. Testing syntactic equality between commands is permitted
![Page 64: Hoare logic for higher order store using simple semantics](https://reader036.fdocuments.us/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/64.jpg)
The End