Hoare logic for higher order store using simple semantics Billiejoe (Nathaniel) Charlton University of Sussex WoLLIC 2011.

Slides:

Advertisements

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Advertisements

Types and Programming Languages Lecture 4 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 10.

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.

Computer Science CPSC 322 Lecture 25 Top Down Proof Procedure (Ch 5.2.2)

Introduction to Proofs

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.

Formal reasoning about runtime code update Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus HotSWUp 2011.

Induction and Recursion. Odd Powers Are Odd Fact: If m is odd and n is odd, then nm is odd. Proposition: for an odd number m, m k is odd for all non-negative.

Time Bounds for General Function Pointers Robert Dockins and Aquinas Hobor (Princeton University) (NUS) TexPoint fonts used in EMF. Read the TexPoint manual.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

CS 355 – Programming Languages

Advanced Package Concepts. 2 home back first prev next last What Will I Learn? Write packages that use the overloading feature Write packages that use.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.

Recursive Definitions Rosen, 3.4. Recursive (or inductive) Definitions Sometimes easier to define an object in terms of itself. This process is called.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.

Formal Aspects of Computer Science – Week 12 RECAP Lee McCluskey, room 2/07

EE1J2 – Discrete Maths Lecture 5 Analysis of arguments (continued) More example proofs Formalisation of arguments in natural language Proof by contradiction.

Mathematical Induction

Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012.

Chapter 4 Context-Free Languages Copyright © 2011 The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 1.

Induction and recursion

Reading and Writing Mathematical Proofs

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 2: Operational Semantics I Roman Manevich Ben-Gurion University.

Copyright © Cengage Learning. All rights reserved. CHAPTER 4 ELEMENTARY NUMBER THEORY AND METHODS OF PROOF ELEMENTARY NUMBER THEORY AND METHODS OF PROOF.

Chapter 4: Induction and Recursion

Chapter 3 (Part 3): Mathematical Reasoning, Induction & Recursion  Recursive Algorithms (3.5)  Program Correctness (3.6)

1 Knowledge Based Systems (CM0377) Lecture 4 (Last modified 5th February 2001)

1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.

Reading and Writing Mathematical Proofs Spring 2015 Lecture 4: Beyond Basic Induction.

Hop Operational Semantics

ARTIFICIAL INTELLIGENCE [INTELLIGENT AGENTS PARADIGM] Professor Janis Grundspenkis Riga Technical University Faculty of Computer Science and Information.

3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.

Chapter 3 Part II Describing Syntax and Semantics.

Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.

Copyright © Cengage Learning. All rights reserved.

Specifying Languages Our aim is to be able to specify languages for use in the computer. The sketch of an FSA is easy for us to understand, but difficult.

From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA.

Foundations of Discrete Mathematics Chapters 5 By Dr. Dalia M. Gil, Ph.D.

Recursive Data Structures and Grammars Themes –Recursive Description of Data Structures –Grammars and Parsing –Recursive Definitions of Properties of Data.

First Order Logic Lecture 3: Sep 13 (chapter 2 of the book)

Just Enough Type Theory or, Featherweight Java A Simple Formal Model of Objects Jonathan Aldrich

1/32 This Lecture Substitution model An example using the substitution model Designing recursive procedures Designing iterative procedures Proving that.

Principle of Programming Lanugages 3: Compilation of statements Statements in C Assertion Hoare logic Department of Information Science and Engineering.

Year 9 Proof Dr J Frost Last modified: 19 th February 2015 Objectives: Understand what is meant by a proof, and examples.

Classifications LanguageGrammarAutomaton Regular, right- linear Right-linear, left-linear DFA, NFA Context-free PDA Context- sensitive LBA Recursively.

Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.

Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications Chapter.

Soundness of Types Ensuring that a type system is not broken.

Type soundness In a more formal way. Proving Soundness of Type Systems Goal of a sound type system: –if the program type checks, then it never “crashes”

Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013.

CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University

Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

Agenda  Quick Review  Finish Introduction  Java Threads.

Metalogic Soundness and Completeness. Two Notions of Logical Consequence Validity: If the premises are true, then the conclusion must be true. Provability:

1 Chapter 9 Undecidability  Turing Machines Coded as Binary Strings  Universal Turing machine  Diagonalizing over Turing Machines  Problems as Languages.

Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson

Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson

Section Recursion 2  Recursion – defining an object (or function, algorithm, etc.) in terms of itself.  Recursion can be used to define sequences.

1 Proving Properties of Recursive List Functions CS 270 Math Foundations of CS Jeremy Johnson.

LECTURE 10 Semantic Analysis. REVIEW So far, we’ve covered the following: Compilation methods: compilation vs. interpretation. The overall compilation.

Operational Semantics of Scheme

CSE-321 Programming Languages Simply Typed -Calculus

Formal Methods in Software Engineering 1

Proving Properties of Recursive List Functions

Programming Languages and Compilers (CS 421)

Program correctness Axiomatic semantics

Programming Languages and Compilers (CS 421)

Representations & Reasoning Systems (RRS) (2.2)

Presentation transcript:

Hoare logic for higher order store using simple semantics Billiejoe (Nathaniel) Charlton University of Sussex WoLLIC 2011

Outline What is higher order store (HOS)? -introduce a minimal programming language with HOS

Outline What is higher order store (HOS)? -introduce a minimal programming language with HOS Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005) -Look at a correctness proof for a small program

Outline What is higher order store (HOS)? -introduce a minimal programming language with HOS Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005) -Look at a correctness proof for a small program Point out some disagreeable things about Reus and Streicher’s logic -These stem from the unnecessary use of domain theory

Outline What is higher order store (HOS)? -introduce a minimal programming language with HOS Show an existing Hoare logic for reasoning about this minimal HOS language (Reus and Streicher, ICALP 2005) -Look at a correctness proof for a small program Point out some disagreeable things about Reus and Streicher’s logic -These stem from the unnecessary use of domain theory Give a simpler alternative construction which addresses these issues -“Get a better logic for less work”

What is higher order store? A programming language is said to feature HOS when: a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs

What is higher order store? A programming language is said to feature HOS when: a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs So HOS programs can modify their own code while running

What is higher order store? A programming language is said to feature HOS when: a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs So HOS programs can modify their own code while running Where does HOS occur? -in functional languages with mutable state e.g. ML -dynamic loading and unloading of code e.g. plugins -“hot update” – updating a program while it is running -runtime code generation

A minimal language with HOS

Quote turns a command, unexecuted, into a value which can be stored

A minimal language with HOS Quote turns a command, unexecuted, into a value which can be stored run command is used to invoke commands which were stored previously

This program sets up a non-terminating recursion: Example HOS programs

This program sets up a non-terminating recursion: This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications) Example HOS programs

This program sets up a non-terminating recursion: This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications) Example HOS programs

This program sets up a non-terminating recursion: This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications) Here we store in x a command which will overwrite itself when run: Example HOS programs

This program sets up a non-terminating recursion: This is “recursion through the store” or “Landin’s knot” (which allegedly is one reason HOS causes complications) Here we store in x a command which will overwrite itself when run: Example HOS programs

Reus and Streicher’s logic Boils down to three new proof rules to deal with HOS (ICALP, 2005). Main judgement used in proofs: If k = 0 write. Let mean and. Context consisting of a bunch of assumptions; each assumption is a Hoare triple Hoare triple which holds in the given context

Proof rules for HOS R = “Run”: Used when we know exactly which code we are going to invoke

Proof rules for HOS H = “Hypothesis”: Allows us to use a hypothesis, from the context, about how some code works (p is an auxiliary variable)

Proof rules for HOS mu for (mutual) recursion: when proving that C and D “work”, we can assume that recursive invocations of C and D “work”!

An example proof Define: Then the following program searches for a square root of m:

An example proof Define: Then the following program searches for a square root of m:

An example proof Define: Then the following program searches for a square root of m:

An example proof Define: Then the following program searches for a square root of m:

An example proof Define: Then the following program searches for a square root of m:

An example proof Define: Then the following program searches for a square root of m:

An example proof Define: Then the following program searches for a square root of m:

An example proof Now we need to use the mu rule to deal with the recursion

An example proof This is the instance to use: Now we need to use the mu rule to deal with the recursion

An example proof This is the instance to use: Now we need to use the mu rule to deal with the recursion To finish, we must prove the premises...

Finishing the proof

This is an instance of the H rule so we are done.

Reus and Streicher (ICALP, 2005) proved rules R, H and mu sound. Their model looks like this: These equations are recursive so domain theory is used Semantics using domain theory

Disagreeable aspects of existing work However some things are not so nice: 1.Semantic setup is (relatively) complicated, due to domain theory

Disagreeable aspects of existing work However some things are not so nice: 1.Semantic setup is (relatively) complicated, due to domain theory 2.Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts

Disagreeable aspects of existing work However some things are not so nice: 1.Semantic setup is (relatively) complicated, due to domain theory 2.Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts 3.All three new rules have inexplicable “downwards closure” side-conditions (not shown in this talk) where the domain theory leaks out into the logic

Disagreeable aspects of existing work However some things are not so nice: 1.Semantic setup is (relatively) complicated, due to domain theory 2.Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts 3.All three new rules have inexplicable “downwards closure” side-conditions (not shown in this talk) where the domain theory leaks out into the logic 4.Adding non-deterministic program statements breaks the theory

Disagreeable aspects of existing work However some things are not so nice: 1.Semantic setup is (relatively) complicated, due to domain theory 2.Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts 3.All three new rules have inexplicable “downwards closure” side-conditions (not shown in this talk) where the domain theory leaks out into the logic 4.Adding non-deterministic program statements breaks the theory 5.Testing syntactic equality between commands is not allowed

Disagreeable aspects of existing work However some things are not so nice: 1.Semantic setup is (relatively) complicated, due to domain theory 2.Thus soundness proofs are (relatively) complicated, depending on domain-theoretic results by Andrew Pitts 3.All three new rules have inexplicable “downwards closure” side-conditions (not shown in this talk) where the domain theory leaks out into the logic 4.Adding non-deterministic program statements breaks the theory 5.Testing syntactic equality between commands is not allowed Rest of this talk:Fix these issues with a simple construction.

Stores and environments (for auxiliary variables) have simple types: (Syntactic) commands encoded using a bijection Evaluation of expressions: Simpler semantics

Small-step execution relation for commands: Simpler semantics

Small-step execution relation for commands: Simpler semantics

Small-step execution relation for commands: Read integer value from the store, decode it back into a syntactic command, and run Simpler semantics

Assertions:

Interpretation is completely standard

Assertions: Interpretation is completely standard Interpretation of Hoare triples: means: in environment rho, any completed execution of e starting in a P-state, and containing n or fewer steps, ends in a Q-state.

Assertions: Interpretation is completely standard Interpretation of Hoare triples: Formally: means: in environment rho, any completed execution of e starting in a P-state, and containing n or fewer steps, ends in a Q-state.

Main judgement used in proofs:

...then this triple holdsIf these triples hold...

Main judgement used in proofs:...then this triple holds for executions of n steps or fewer If these triples hold... for executions of n - 1 steps or fewer

Main judgement used in proofs:...then this triple holds for executions of n steps or fewer If these triples hold... for executions of n - 1 steps or fewer

Soundness of proof rules

Suppose that (1) Need to prove that

Soundness of proof rules Suppose that (1) Need to prove that So let be such that in n steps or fewer.

Soundness of proof rules Suppose that (1) Need to prove that So let be such that in n steps or fewer.

Soundness of proof rules Suppose that (1) Need to prove that So let be such that in n steps or fewer. We must have where

Soundness of proof rules Suppose that (1) Need to prove that So let be such that in n steps or fewer. We must have where To finish we can apply (1) to suffix which has length n – 1

Soundness of proof rules Proof is by induction on length of execution sequence. Define: Inductive step requires proving Give or take some fiddling with variables, the premise says this! Roughly, “C and D work correctly for n steps”

Summary Explained an existing Hoare logic for reasoning about a minimal language with HOS -This logic has some disagreeable aspects, stemming from the unnecessary use of domain theory

Summary Explained an existing Hoare logic for reasoning about a minimal language with HOS -This logic has some disagreeable aspects, stemming from the unnecessary use of domain theory Gave a simpler alternative construction which addresses these issues “Get a better logic for less work”

Summary Explained an existing Hoare logic for reasoning about a minimal language with HOS -This logic has some disagreeable aspects, stemming from the unnecessary use of domain theory Gave a simpler alternative construction which addresses these issues “Get a better logic for less work” 1. Semantic setup, and thus soundness proofs, are simple 2. Proof rules do not have inexplicable side-conditions 3. Non-deterministic program statements are supported 4. Testing syntactic equality between commands is permitted

The End