C-stylelanguageswithanenvironmentandaheap,writingdownasimilarcondition - PDF document

C-stylelanguageswithanenvironmentandaheap,writingdownasimilarconditionwouldrequireboththeenvironmentandtheheap,whereastheseparationlogicdenitionsusuallyonlyuseheaps.EvenNeelakantanKrishnaswamietal.[10],thoughusinganML-stylelanguage,explicitlysaythattheypermitdanglingpointersaslongasthepointersthemselvesarewelltyped.Notethat,iftryingtorelatethesemanticsofcapsuleswith,say,amoretraditionalsemanticsusingclosuresandaheap,thecapsuleenvironmentbehaveslikeaheapratherthanlikeanenvironmentinthetraditionalsense[7].Theoriginalworkonseparationlogic,summarizedbyReynolds[21],usesanimperative,C-styleprogramminglan-guagewithlow-levelcommandsandalreadygivesaproofofaversionoftheframerule.OurworkismostcloselyrelatedtoworkbyKrishnaswami,Birkedal,AldrichandReynolds[9],[10],whogiveasep-arationlogicforML.However,oursystemallowsmutablevariablesinthestyleofLISP,whereastheirsusesexplicitreferencesallocatedinanexplicitheap.Birkedal,Torp-SmithandYang[3]alsostudytheframeruleinthecontextofahigher-orderlanguage,idealizedAlgolextendedwithheaps,buttheirstackvariablesareimmutableaswell.Therehasbeensomeworkonso-calledhigher-orderstores[2],[19],[22],wheresomecodecanbestoredinaheapcell.Becauseany-abstractionscanbestoredintheenvironment,andexecutingsomeofthemcanhaveside-effects,oursetupnaturallysupportshigher-orderstores.II.CAPSULEDEFINITIONSInthissectionwebrieyreviewthedenitionofcapsulesandtheirsemanticsfrom[8].A.SyntaxExpressionsExp=fd;e;a;b;:::gcontainbothfunctionalandimperativefeatures.Thereisanunlimitedsupplyofvariablesx;y;z;:::ofall(simple)types,aswellasconstantsf;c;:::forprimitivevalues.()istheonlyconstantoftypeunit,andtrueandfalsearetheonlytwoconstantsoftypebool.Intheexamples,0;1;2;:::arepredenedconstantsoftypeint.Inaddition,therearefunctionalfeatures-abstractionx:eapplication(de),imperativefeaturesassignmentx:=ecompositiond;econditionalifbthendelseewhileloopwhilebdoe,anddenedexpressionsletx=dine(x:e)dletrecx=dineletx=ainx:=d;ewhereaisanyexpressionoftheappropriatetype.Thetech-niqueforformationofrecursivefunctionsinthelastdenitionisknownasLandin'sknot.LetVarbethesetofvariables,Constthesetofconstants,and-Absthesetof-abstractions.Givenanexpressione,letFV(e)denotethesetoffreevariablesofe.Givenapartialfunctionh:Var*VarsuchthatFV(e)domh,leth(e)betheexpressionewhereeveryinstanceofafreevariablex2FV(e)hasbeenreplacedbythevariableh(x).Thush:Exp*Expistheuniquehomomorphicextensionofh:Var*Var.Giventwopartialfunctionsgandh,ghdenotestheircomposition:gh(x)=g(h(x)).Givenafunctionh,wewriteh[x=v]thefunctionsuchthath[x=v](y)=h(y)fory6=xandh[x=v](x)=v.Givenanexpressione,wewritee[x=y]fortheexpressionewithysubstitutedforallfreeoccurrencesofx.Types;;:::areordinarysimpletypesbuiltinductivelyfromanunspeciedfamilyofbasetypes,includingatleastunitandbool,andtheusualfunctiontypeconstructor!.Allconstantscofthelanguagehaveatypetype(c);byconvention,weusecforaconstantofabasetypeandfforaconstantofafunctionaltype.�isatypeenvironment,apartialfunctionVar*Type.Asisstandard,wewrite�;x:forthetypingenvironment�wherexhasbeenboundorreboundto.Thetypingrulesarestandard:�`c:iftype(c)=�;x:`x:�;x:`e: �`x:e:!�`d:!�`e: �`(de):�`x:�`e: �`x:=e:unit�`d:unit�`e: �`d;e:�`b:bool�`d:�`e: �`ifbthendelsee:�`b:bool�`e:unit �`whilebdoe:unitHenceforthalltheexpressionsweconsiderwillbeassumedtobewell-typedwithrespecttotheserules.Anexpressionisirreducibleifitiseitheraconstantora-abstraction.Notethatvariablesarenotirreducible.LetIrred=Const+-Absdenotethesetofirreducibleterms.(Theseareoftencalledvaluesinthe-calculusliterature,butweavoidthisterminologyherebecauseitismisleading,astheyarenotvaluesintheintuitivesense.)Acapsuleenvironmentisapartialfunction:Var*Irredsatisfyingthefollowingclosurecondition:8x2domFV((x))dom:Thissaysthatallfreevariablesappearinginexpressions(x)mustalsobeboundtoanexpression.Thusfreevariablesarenotreallyfree;everyvariableineitheroccursinthescopeofaorisboundbytoanexpression.Theremaybecircularities;thisenablesarepresentationofrecursivefunctions.TheclosureofasetAdomwithrespectto,denotedcl(A),isthesmallestsetBcontainingAsuchthatifx2BthenFV((x))B.Itisthedomainoftheleast-dened Denition(1)saysthatifthepreconditionPholdsoftheinputstateandtheevaluationofhe;iterminatesnormally,thentheoutputstatesatisesthepostconditionQ.ThisisthenaiveinterpretationusedintraditionalformsofHoarelogic.Alternatively,theversionpreferredintheliteratureonseparationlogicwouldbe(2),thedifferencebeingthatthepreconditionPmustensurethattheevaluationofhe;icannotterminateabnormally.Reynolds'sversion[21]isactuallyslightlyweaker,using(B0)insteadof(B):fPgefQg,8(A))(B0)^(C)(3)However,thedifferenceisinconsequential:iffPgefQgholdsinthesenseof(3)butnot(2),thenthereexistsavariablex2FV(e)�domforsomesatisfyingP,andconsequentlyx2FV(e)�cl(FV(P));butby(B0),xcanneverbereferencedorassignedintheevaluationofhe;i.ThusthepresenceorabsenceofxinthedomainofaffectsneitherthetruthofPnortheevaluationofhe;i.Butthereisamuchmoreimportantbenetto(2)over(3).Considerthemetastatement(B)FV(e)FV(P).Aconsequenceof(2)isthat(A)implies(B)forall.IfPissatisableatall,saybysome,then(B)musthold,sincevariablesindomnotoccurringfreeinPcanberenamed(byan-conversionofthesecondkind—seexII-A)withoutaffectingthetruthofP.Thus(2)holdswith(B)inplaceof(B).Moreover,since(B)isindependentof,assumingPissatisableatall,(2)isequivalenttothedenitionfPgefQg,(B)^(8(A))(C))(4)Notethat,unlike(B)and(B0),thecondition(B)issyntacticallycheckable,thussuitableasasideconditioninaruleofinference.Ifwelike,wemayremovethecondition(B)inthedenitionoffPgefQgandinsteadintroduceitasasideconditionintheframerule.However,canitbeeliminatedentirely?Thatis,istheformulation(1)sound?WeshowinxIV-Dthatitisnot.Infact,evenonlyslightlyweakerformsofthesidecondition(B)donotsufceforsoundness.IV.CAPSULESANDSEPARATIONLOGICA.DenitionsHereisoursemanticsforseparationlogicintermsofcapsules.Callclosedenvironmentsandindependentandwrite?iftheirdomainsaredisjoint.Dene+tobethejoinofand,providedtheyareindependent.Thatis,(+)(x)=8�&#x]TJ ;� -1;.93; Td;&#x [00;:(x);ifx2dom;(x);ifx2dom;undened;otherwise.Deneseparatingconjunctionbyj=PQifthereexist1and2suchthat=1+2,1j=P,and2j=Q.Deneseparatingimplicationbyj=P�Qif+j=Qwheneverj=Pand+exists.Itiseasilyseenthatcapsuleenvironmentsformaseparationalgebrainthesenseof[5]underthesedenitions.Thatis,thestructure(fcapsuleenvironmentsg;+;?)isacancellativepartialcommutativemonoid.Thismeansthat+isacommutativeandassociativepartialbinaryoperationwithidentity?satisfyingthecancellativeproperty:thepartialfunction+isinjectiveineachvariable.Therelation?holdsifandonlyif+isdened.Itfollowsfromresultsof[5]thatseparatingconjunctionandseparatingimplication�satisfytheusualintuitionisticrelationship:ForallclosedsuchthatFV(P)[FV(Q)[FV(R)dom,j=(PQ)�R,j=P�(Q�R):Otheraxiomsofseparationlogicmentionedin[21]arealsoeasilychecked:(P_Q)R,(PR)_(QR)(P^Q)R)(PR)^(QR)(9xP)Q,9x(PQ)(x62FV(Q))(8xP)Q)8x(PQ)(x62FV(Q)):B.TheFrameRuleThesoundnessoftheframerulewasrstprovedin[24]fortheheapmodelofcomputation.Ourproofisessentiallythesameastheonegivenin[21],butsomewhatshorterduetothesimplicationsaffordedbycapsulesemantics.Lemma4.1:Ifhe;1+2i!he;iandFV(e)dom1(thatis,he;1iisacapsule),thenforsome1,he;1i!he;1iand=1+2.Proof:Byinductiononthederivation.Noneofthesmall-stepevaluationruleslistedinxII-Baccessanyvariableoutsidethedomainof1exceptforfreshvariablesintroducedintheapplicationrule.Inparticular,theenvironment2isnottouchedduringtheevaluation. Theorem4.2:Undercapsulesemantics,theframerulefPgefQg fPRgefQRgissoundwithrespecttodenition(2)or(4)ofpartialcorrectnessassertions.Equivalently,theframeruleissoundwithrespecttodenition(1)ofpartialcorrectnessassertionsinthepresenceofthesideconditionFV(e)FV(P).Proof:AsarguedinxIII,inallcaseswecanassumeFV(e)FV(P).SupposefPgefQg.Letj=PR.Then=1+2with1j=Pand2j=R.ThenFV(R)dom2andFV(e)FV(P)dom1,thereforehe;1iis Thepremisefg(0)=2gefg(0)=2gholds,asdoesthesidecondition(B2),sinceAV(e)=fgg=FV(P):However,theconclusiondoesnot.Wehavej=g(0)=2f()=3;where=1+2,dom1=fgg,dom2=ffg,1j=g(0)=2,and2j=f()=3.However,afterexecutionoftheprograme,theresultingenvironmentbindsgtoatermcontainingafreeoccurrenceoff,sogandfcannotbeseparated. V.CONCLUSIONANDFUTUREWORKWeweremotivatedtoundertakethisstudyinresponsetoananonymousreviewof[8]claimingthatcapsules“contradicttheinsightsofseparationlogic,whichhasbeenextensivelyresearchedforthelastdecade.”Wehopethatwehavecon-vincedthereaderthatthereisnocontradictionwhatsoever—infactquitetheopposite!Capsulesprovideanovelperspectiveonseparationlogic,becausetheycapturethesamelocalityandpersistencestructureastraditionalheapmodels,butinasimpler,moremathematicallytractableframework.Wefeelthatthishasgreatpotentialforenhancingtheunderstandingofseparationbyfocusingontheessentials.Inthefuture,wewouldliketoinvestigateotherstructuresthathaveariseninthestudyofseparationlogicinthisframework.Inparticular,higher-orderseparationlogic[1]proposestousethemuchmorepowerfulhigher-orderlogicinpredicates.NestedHoaretriples[22]areaneatideatospecifycodestoredintheheap.Theanti-framerule[17],[23]presentsawayofmodelinghiddenstate.Finally,wewouldliketostudytheconcurrencyrule[13]inthecontextofcapsules.ACKNOWLEDGMENTSWewouldliketothankNeelakantanKrishnaswamiforsuggestingthatwelookattherelationbetweencapsulesandseparationlogicafterattendingapresentationof[7].WewouldalsoliketothankMarkBickford,BobConstable,andFranc¸oisPottierformanyusefuldiscussions.REFERENCES[1]B.Biering,L.Birkedal,andN.Torp-Smith,“BI-hyperdoctrines,higher-orderseparationlogic,andabstraction,”ACMTrans.Program.Lang.Syst.,vol.29,August2007.[Online].Available:http://doi.acm.org/10.1145/1275497.1275499[2]L.Birkedal,B.Reus,J.Schwinghammer,andH.Yang,“Asimplemodelofseparationlogicforhigher-orderstore,”inProceedingsofthe35thinternationalcolloquiumonAutomata,LanguagesandProgramming,PartII,ser.ICALP'08.Berlin,Heidelberg:Springer-Verlag,2008,pp.348–360.[Online].Available:http://dx.doi.org/10.1007/978-3-540-70583-3 29[3]L.Birkedal,N.Torp-Smith,andH.Yang,“Semanticsofseparation-logictypingandhigher-orderframerulesforalgol-likelanguages,”CoRR,vol.abs/cs/0610081,2006.[4]R.Bornat,C.Calcagno,andH.Yang,“Variablesasresourceinsepara-tionlogic,”inProc.21stConf.Math.Found.ProgrammingSemantics,2005,pp.247–276.[5]C.Calcagno,P.W.O'Hearn,andH.Yang,“Localactionandabstractseparationlogic,”inProc.22ndAnnualIEEESymp.LogicinComputerScience(LICS07).IEEE,2007,pp.366–378.[6]S.S.IshtiaqandP.W.O'Hearn,“Biasanassertionlanguageformutabledatastructures,”inProceedingsofthe28thACMSIGPLAN-SIGACTsymposiumonPrinciplesofprogramminglanguages,ser.POPL'01.NewYork,NY,USA:ACM,2001,pp.14–26.[Online].Available:http://doi.acm.org/10.1145/360204.375719[7]J.-B.Jeannin,“Capsulesandclosures,”inProc.27thConf.Math.Found.ProgrammingSemantics(MFPSXXVII),M.MisloveandJ.Ouaknine,Eds.Pittsburgh,PA:ElsevierElectronicNotesinTheoreticalComputerScience,May2011.[8]J.-B.JeanninandD.Kozen,“Computingwithcapsules,”ComputingandInformationScience,CornellUniversity,Tech.Rep.http://hdl.handle.net/1813/22082,January2011.[9]N.R.Krishnaswami,“Verifyinghigher-orderimperativeprogramswithhigher-orderseparationlogic,”Ph.D.dissertation,CarnegieMellonUni-versity,2010.[10]N.R.Krishnaswami,L.Birkedal,J.Aldrich,andJ.C.Reynolds,“IdealizedMLanditsseparationlogic,”http://www.cs.cmu.edu/neelk/,2007.[11]I.MasonandC.Talcott,“Axiomatizingoperationalequivalenceinthepresenceofsideeffects,”inFourthAnnualSymposiumonLogicinComputerScience.IEEE.IEEEComputerSocietyPress,1989,pp.284–293.[12]J.McCarthy,“HistoryofLISP,”inHistoryofprogramminglanguagesI,R.L.Wexelblat,Ed.ACM,1981,pp.173–185.[13]P.W.O'Hearn,“Resources,concurrencyandlocalreasoning,”Theoret-icalComputerScience,vol.375,no.1-3,pp.271–307,May2007.[14]P.W.O'Hearn,J.C.Reynolds,andH.Yang,“Localreasoningaboutprogramsthatalterdatastructures,”inProceedingsofthe15thInternationalWorkshoponComputerScienceLogic,ser.CSL'01.London,UK:Springer-Verlag,2001,pp.1–19.[Online].Available:http://dl.acm.org/citation.cfm?id=647851.737404[15]M.Parkinson,R.Bornat,andC.Calcagno,“Variablesasresourceinhoarelogics,”inProceedingsofthe21stAnnualIEEESymposiumonLogicinComputerScience.Washington,DC,USA:IEEEComputerSociety,2006,pp.137–146.[Online].Available:http://dl.acm.org/citation.cfm?id=1157735.1158051[16]M.J.ParkinsonandG.M.Bierman,“Separationlogic,abstractionandinheritance,”inProceedingsofthe35thannualACMSIGPLAN-SIGACTsymposiumonPrinciplesofprogramminglanguages,ser.POPL'08.NewYork,NY,USA:ACM,2008,pp.75–86.[Online].Available:http://doi.acm.org/10.1145/1328438.1328451[17]F.Pottier,“Hidinglocalstateindirectstyle:ahigher-orderanti-framerule,”inTwenty-ThirdAnnualIEEESymposiumonLogicInComputerScience(LICS'08),Pittsburgh,Pennsylvania,Jun.2008,pp.331–340.[18]——,2012,privatecommunication.[19]B.ReusandJ.Schwinghammer,“Separationlogicforhigher-orderstore,”inInProc.CSL.Springer,2006,pp.575–590.[20]J.C.Reynolds,“Intuitionisticreasoningaboutsharedmutabledatastructures,”inMillennialPerspectivesinComputerScience,J.Davies,B.Roscoe,andJ.Woodcock,Eds.Palgrave,2000,pp.303–321.[21]——,“Separationlogic:Alogicforsharedmutabledatastructures,”inProc.17thIEEESymp.LogicinComputerScience(LICS'02).IEEE,2002,pp.55–74.[22]J.Schwinghammer,L.Birkedal,B.Reus,andH.Yang,“NestedHoaretriplesandframerulesforhigher-orderstore,”inInProceedingsofthe18thEACSLAnnualConferenceonComputerScienceLogic,2009.[23]J.Schwinghammer,H.Yang,L.Birkedal,F.Pottier,andB.Reus,“Asemanticfoundationforhiddenstate,”inFOSSACS,2010,pp.2–17.[24]H.YangandP.W.O'Hearn,“Asemanticbasisforlocalreasoning,”inProc.5thFoundationsofSoftwareScienceandComputationStructures(FOSSACS02),ser.LectureNotesinComputerScience,M.NielsenandU.Engberg,Eds.,vol.2303.Springer-Verlag,2002,pp.402–416.