hoare logic for higher order store using simple semantics
DESCRIPTION
Billiejoe (Nathaniel) Charlton University of Sussex. Hoare logic for higher order store using simple semantics. WoLLIC 2011. Outline. What is higher order store (HOS) ? introduce a minimal programming language with HOS. Outline. What is higher order store (HOS) ? - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/1.jpg)
Hoare logic for higher order store using simple semantics
Billiejoe (Nathaniel) Charlton
University of Sussex
WoLLIC 2011
![Page 2: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/2.jpg)
Outline• What is higher order store (HOS)?
- introduce a minimal programming language with HOS
![Page 3: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/3.jpg)
Outline• What is higher order store (HOS)?
- introduce a minimal programming language with HOS
• Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005)- Look at a correctness proof for a small program
![Page 4: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/4.jpg)
Outline• What is higher order store (HOS)?
- introduce a minimal programming language with HOS
• Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005)- Look at a correctness proof for a small program
• Point out some disagreeable things about Reus and Streicher’s logic- These stem from the unnecessary use of domain theory
![Page 5: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/5.jpg)
Outline• What is higher order store (HOS)?
- introduce a minimal programming language with HOS
• Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005)- Look at a correctness proof for a small program
• Point out some disagreeable things about Reus and Streicher’s logic- These stem from the unnecessary use of domain theory
• Give a simpler alternative construction which addresses these issues- “Get a better logic for less work”
![Page 6: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/6.jpg)
What is higher order store?• A programming language is said to feature HOS when:
a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs
![Page 7: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/7.jpg)
What is higher order store?• A programming language is said to feature HOS when:
a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs
• So HOS programs can modify their own code while running
![Page 8: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/8.jpg)
What is higher order store?• A programming language is said to feature HOS when:
a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs
• So HOS programs can modify their own code while running
• Where does HOS occur?- in functional languages with mutable state e.g. ML- dynamic loading and unloading of code e.g. plugins- “hot update” – updating a program while it is running- runtime code generation
![Page 9: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/9.jpg)
A minimal language with HOS
![Page 10: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/10.jpg)
A minimal language with HOS
Quote turns a command, unexecuted, into a value which can be stored
![Page 11: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/11.jpg)
A minimal language with HOS
Quote turns a command, unexecuted, into a value which can be stored
run command is used to invoke commands which were stored previously
![Page 12: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/12.jpg)
• This program sets up a non-terminating recursion:
Example HOS programs
![Page 13: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/13.jpg)
• This program sets up a non-terminating recursion:
• This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications)
Example HOS programs
![Page 14: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/14.jpg)
• This program sets up a non-terminating recursion:
• This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications)
Example HOS programs
![Page 15: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/15.jpg)
• This program sets up a non-terminating recursion:
• This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications)
• Here we store in x a command which will overwrite itself when run:
Example HOS programs
![Page 16: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/16.jpg)
• This program sets up a non-terminating recursion:
• This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications)
• Here we store in x a command which will overwrite itself when run:
Example HOS programs
![Page 17: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/17.jpg)
Reus and Streicher’s logicBoils down to three new proof rules to deal with HOS (ICALP, 2005).
Main judgement used in proofs:
If k = 0 write . Let mean and .
Context consisting of a bunch of assumptions; each assumption is a Hoare triple
Hoare triple which holds in the given context
![Page 18: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/18.jpg)
Proof rules for HOS
R = “Run”:Used when we know exactly which code we are going to invoke
![Page 19: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/19.jpg)
Proof rules for HOS
H = “Hypothesis”:Allows us to use a hypothesis, from the context, about how some code works(p is an auxiliary variable)
![Page 20: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/20.jpg)
Proof rules for HOS
mu for (mutual) recursion: when proving that C and D “work”, we can assume that recursive invocations of C and D “work”!
![Page 21: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/21.jpg)
An example proofDefine:
Then the following program searches for a square root of m:
![Page 22: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/22.jpg)
An example proofDefine:
Then the following program searches for a square root of m:
![Page 23: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/23.jpg)
An example proofDefine:
Then the following program searches for a square root of m:
![Page 24: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/24.jpg)
An example proofDefine:
Then the following program searches for a square root of m:
![Page 25: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/25.jpg)
An example proofDefine:
Then the following program searches for a square root of m:
![Page 26: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/26.jpg)
An example proofDefine:
Then the following program searches for a square root of m:
![Page 27: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/27.jpg)
An example proofDefine:
Then the following program searches for a square root of m:
![Page 28: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/28.jpg)
An example proof
Now we need to use the mu rule to deal with the recursion
![Page 29: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/29.jpg)
An example proof
This is the instance to use:
Now we need to use the mu rule to deal with the recursion
![Page 30: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/30.jpg)
An example proof
This is the instance to use:
Now we need to use the mu rule to deal with the recursion
To finish, we must prove the premises...
![Page 31: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/31.jpg)
Finishing the proof
![Page 32: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/32.jpg)
Finishing the proof
![Page 33: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/33.jpg)
Finishing the proof
![Page 34: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/34.jpg)
Finishing the proof
This is an instance of the H rule so we are done.
![Page 35: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/35.jpg)
• Reus and Streicher (ICALP, 2005) proved rules R, H and mu sound.
• Their model looks like this:
• These equations are recursive so domain theory is used
Semantics using domain theory
![Page 36: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/36.jpg)
Disagreeable aspects of existing work
However some things are not so nice:
1. Semantic setup is (relatively) complicated, due to domain theory
![Page 37: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/37.jpg)
Disagreeable aspects of existing work
However some things are not so nice:
1. Semantic setup is (relatively) complicated, due to domain theory2. Thus soundness proofs are (relatively) complicated, depending on
domain-theoretic results by Andrew Pitts
![Page 38: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/38.jpg)
Disagreeable aspects of existing work
However some things are not so nice:
1. Semantic setup is (relatively) complicated, due to domain theory2. Thus soundness proofs are (relatively) complicated, depending on
domain-theoretic results by Andrew Pitts3. All three new rules have inexplicable “downwards closure”
side-conditions (not shown in this talk) where the domain theory leaks out into the logic
![Page 39: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/39.jpg)
Disagreeable aspects of existing work
However some things are not so nice:
1. Semantic setup is (relatively) complicated, due to domain theory2. Thus soundness proofs are (relatively) complicated, depending on
domain-theoretic results by Andrew Pitts3. All three new rules have inexplicable “downwards closure”
side-conditions (not shown in this talk) where the domain theory leaks out into the logic
4. Adding non-deterministic program statements breaks the theory
![Page 40: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/40.jpg)
Disagreeable aspects of existing work
However some things are not so nice:
1. Semantic setup is (relatively) complicated, due to domain theory2. Thus soundness proofs are (relatively) complicated, depending on
domain-theoretic results by Andrew Pitts3. All three new rules have inexplicable “downwards closure”
side-conditions (not shown in this talk) where the domain theory leaks out into the logic
4. Adding non-deterministic program statements breaks the theory5. Testing syntactic equality between commands is not allowed
![Page 41: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/41.jpg)
Disagreeable aspects of existing work
However some things are not so nice:
1. Semantic setup is (relatively) complicated, due to domain theory2. Thus soundness proofs are (relatively) complicated, depending on
domain-theoretic results by Andrew Pitts3. All three new rules have inexplicable “downwards closure”
side-conditions (not shown in this talk) where the domain theory leaks out into the logic
4. Adding non-deterministic program statements breaks the theory5. Testing syntactic equality between commands is not allowed
• Rest of this talk: Fix these issues with a simple construction.
![Page 42: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/42.jpg)
• Stores and environments (for auxiliary variables) have simple types:
• (Syntactic) commands encoded using a bijection
• Evaluation of expressions:
Simpler semantics
![Page 43: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/43.jpg)
• Small-step execution relation for commands:
Simpler semantics
![Page 44: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/44.jpg)
• Small-step execution relation for commands:
Simpler semantics
![Page 45: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/45.jpg)
• Small-step execution relation for commands:
Read integer value from the store,decode it back into a syntactic command, and run
Simpler semantics
![Page 46: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/46.jpg)
• Assertions:
![Page 47: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/47.jpg)
• Assertions:
• Interpretation is completely standard
![Page 48: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/48.jpg)
• Assertions:
• Interpretation is completely standard
• Interpretation of Hoare triples:
means: in environment rho, any completed execution of e starting in a P-state, and containing n or fewer steps, ends in a Q-state.
![Page 49: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/49.jpg)
• Assertions:
• Interpretation is completely standard
• Interpretation of Hoare triples:
Formally:
means: in environment rho, any completed execution of e starting in a P-state, and containing n or fewer steps, ends in a Q-state.
![Page 50: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/50.jpg)
• Main judgement used in proofs:
![Page 51: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/51.jpg)
• Main judgement used in proofs:
...then this triple holdsIf these triples hold...
![Page 52: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/52.jpg)
• Main judgement used in proofs:
...then this triple holdsfor executions of n steps or fewer
If these triples hold...for executions of n - 1 steps or fewer
![Page 53: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/53.jpg)
• Main judgement used in proofs:
...then this triple holdsfor executions of n steps or fewer
If these triples hold...for executions of n - 1 steps or fewer
![Page 54: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/54.jpg)
Soundness of proof rules
![Page 55: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/55.jpg)
Soundness of proof rules
Suppose that (1) Need to prove that
![Page 56: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/56.jpg)
Soundness of proof rules
Suppose that (1) Need to prove that
So let be such thatin n steps or fewer.
![Page 57: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/57.jpg)
Soundness of proof rules
Suppose that (1) Need to prove that
So let be such thatin n steps or fewer.
![Page 58: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/58.jpg)
Soundness of proof rules
Suppose that (1) Need to prove that
So let be such thatin n steps or fewer.
We must havewhere
![Page 59: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/59.jpg)
Soundness of proof rules
Suppose that (1) Need to prove that
So let be such thatin n steps or fewer.
We must havewhere
To finish we can apply (1) to suffixwhich has length n – 1
![Page 60: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/60.jpg)
Soundness of proof rules
Proof is by induction on length of execution sequence. Define:
Inductive step requires provingGive or take some fiddling with variables, the premise says this!
Roughly, “C and D work correctly for n steps”
![Page 61: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/61.jpg)
Summary• Explained an existing Hoare logic for reasoning about a minimal
language with HOS- This logic has some disagreeable aspects, stemming from the
unnecessary use of domain theory
![Page 62: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/62.jpg)
Summary• Explained an existing Hoare logic for reasoning about a minimal
language with HOS- This logic has some disagreeable aspects, stemming from the
unnecessary use of domain theory
• Gave a simpler alternative construction which addresses these issues“Get a better logic for less work”
![Page 63: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/63.jpg)
Summary• Explained an existing Hoare logic for reasoning about a minimal
language with HOS- This logic has some disagreeable aspects, stemming from the
unnecessary use of domain theory
• Gave a simpler alternative construction which addresses these issues“Get a better logic for less work”
1. Semantic setup, and thus soundness proofs, are simple2. Proof rules do not have inexplicable side-conditions3. Non-deterministic program statements are supported4. Testing syntactic equality between commands is permitted
![Page 64: Hoare logic for higher order store using simple semantics](https://reader036.vdocuments.site/reader036/viewer/2022062323/568161eb550346895dd21e75/html5/thumbnails/64.jpg)
The End