Decorated semantics for an imperative language with exceptions - PowerPoint PPT Presentation

Decorated semantics for an imperative language with exceptions Dominique Duval, with Jean-Guillaume Dumas, Burak Ekici, Damien Pous and Jean-Claude Reynaud Work in progress GdT Plume, ENS Lyon, 21 mars 2016

The language IMP-EX Syntax Arithmetic expressions: a ::= 0 | 1 | − 1 | 2 | − 2 | ... | ℓ 1 | ℓ 2 | · · · | a + a | a − a | a × a Boolean expressions: b ::= true | false | ¬ b | b ∧ b | b ∨ b | a = a | a > a Commands:  skip | c ; c | ℓ i := a |  c ::= if ( b ) then ( c ) else ( c ) | while ( b ) do ( c ) | throw ( exn i ) | try ( c ) catch ( exn i ⇒ c )  Programs: pg ::= c ; return ( a ) | c ; return ( b ) Semantics Denotational: in the category of sets and partial functions Operational: small-step, big-step Predicate transformer semantics, ... Theorem “All semantics for IMP-EX coincide”.

Aims and tools Aims. ◮ Design a “kind of” equational logic L , close to the syntax, for reasoning about imperative programs with exceptions. ◮ Translate the syntax of IMP-EX into the logic L . ◮ Prove properties of programs of IMP-EX in the logic L . ◮ Implement this proof system in Coq. Tools. ◮ [Moggi 1989] “effects as monads”. Terms of type B with a parameter of type A are not interpreted by morphisms from A to B but by morphisms from A to T ( B ) for some monad T. ◮ Here, more generally, “effects as functors”. Terms of type B with a parameter of type A are not interpreted by morphisms from A to B but by morphisms from H ( A ) to H ( B ) for some functor H.

Outline

� � � � Logic and categories ◮ Syntax and equational semantics: a theory T h (a category with a congruence ≡ ) generated by a signature and equations. ◮ Denotational semantics: a model M : T h → C (a functor mapping ≡ to =) where C is “given by mathematics” (e.g., C = S et or C = P art ). T h 1 + 2 3 ≡ theory ❴ ❴ model M = 3 C 1 + 2 category Soundness: granted Remark: usually structured categories and functors

� � � Decorated logic: theories and models Simply “enlarge” the previous diagram ⊆ ⊆ ⊆ � T h n T h 0 T h 1 · · · M 0 � M 1 � C 0 � C 1 M n H 1 � · · · H 2 � C n H n where the functor T h i − 1 ⊆ T h i ◮ is the identity on objects ◮ preserves ≡ and is “ ≡ -faithful”: for all f , g : X → Y in T h i − 1 f ≡ g in T h i − 1 ⇐ ⇒ f ≡ g in T h i Decoration of terms (notation): f ( d ) iff f ∈ T h d conversions: f ( d ) = ⇒ f ( d +1) Soundness: if each H i is faithful

� � � � � � � � � � Full image The full image of a functor H : C i − 1 → C i is the category im ( H ) with: ◮ the same objects as C i − 1 ◮ an arrow f : X → Y for each f : H ( X ) → H ( Y ) in C i . ⊆ T h i − 1 T h i ( X → Y ) ✤ ( X → Y ) ❴ ❴ M i − 1 M i H � im ( H ) � ( X → Y ) ( X → Y ) ✤ C i − 1 ❴ H ( HX → HY ) C i Soundness: if H is faithful

� � � � � � � � � � � � � � Kleisli category The Kleisli category of a monad T : C → C is the category C T with: ◮ the same objects as C ◮ an arrow f : X → Y for each f : X → T ( Y ) in C . ⊆ � ⊆ � T h i − 1 T h i T h i +1 ( X → Y ) ✤ ( X → Y ) ✤ ( X → Y ) ❴ ❴ ❴ M i − 1 M i M i +1 � C T � im ( T ) � ( X → Y ) ✤ ( X → Y ) ✤ ( X → Y ) C ❴ ❴ T ( X → TY ) ✤ � ( TX → TY ) C Soundness: if each component of the unit η : Id ⇒ T is mono

Decorated logic: decorated equations g f � • � • Notation: f • g = g ◦ f when • In each theory: ◮ a congruence ≡ : – equivalence relation between parallel terms – compatible with composition g 1 ≡ g 2 = ⇒ f • g 1 • h ≡ f • g 2 • h ◮ a weak congruence (or several): – extends ≡ – preorder relation between parallel terms – “sometimes” symmetry – “sometimes” substitution g 1 ≡ g 2 = ⇒ f • g 1 ≡ f • g 2 – “sometimes” replacement g 1 ≡ g 2 = ⇒ g 1 • h ≡ g 2 • h

Outline

The language XS-IMP Syntax Expressions: a ::= 0 | 1 | − 1 | 2 | − 2 | ... | ℓ | s ( a ) | p ( a ) b ::= true | false | ¬ b | a = 0 | a > 0 e ::= a | b Commands: c ::= skip | c ; c | ℓ := a Programs: pg ::= c ; return ( e ) Restrictions (easy to remove): ◮ only one location ℓ ◮ no binary operation on expressions Later: ◮ exceptions, conditionals, loops

� � � � � � � � � Decorated logic for states Comonad D ( X ) = S × X ⊆ ⊆ � T h 1 � T h 2 T h 0 ( X → Y ) ✤ ( X → Y ) ✤ ( X → Y ) ❴ ❴ ❴ � ( X → Y ) ✤ ( X → Y ) ✤ ( X → Y ) ❴ ❴ � ( S × X → S × Y ) ( S × X → Y ) ✤ Weak equations f 1 ∼ st f 2 : X → Y interpreted as: f 1 • ε Y = f 2 • ε Y : S × X → Y f 1 � Y S × X � S × Y ε Y f 2 ∼ st satisfies substitution and pure replacement: f • g 1 • h (0) ∼ st f • g 2 • h (0) g 1 ∼ st g 2 = ⇒

Pure operations and equations The pure theory T h 0 contains: ◮ sorts 1 , A , B ◮ operations 0 , 1 , − 1 , ... : 1 → A , s , p : A → A , true , false : 1 → B , not : B → B , null? , pos? : A → B ◮ equations s (0) ≡ 1, p (0) ≡ − 1,..., s • p ≡ id A , p • s ≡ id A , true • not ≡ false , ... M 0 : T h 0 → S et interprets A as the set A of integers, B as the set B of truth values, etc

Operations and equations for states In S et : a set of states S with (here) S ∼ = A , denoted x ↔ x Then T h 1 and T h 2 are generated from T h 0 by two operations: lookup (1) : 1 → A update (2) : A → 1 lookup : S → A update : S × A → S lookup : x �→ x update : ( x , y ) �→ y one weak equation: update • lookup ∼ st id A update • lookup = ε A ( x , y ) �→ y �→ y and decorated rules...

Translation Expressions: e �→ e (1) : 1 → Expr (where Expr is A or B ) ◮ 0 , 1 , ... �→ 0 (0) , 1 (0) , ... , true , false �→ true (0) , false (0) ◮ s ( a ) �→ a • s (0) , p ( a ) �→ a • p (0) , ¬ b �→ b • not (0) , ... ◮ ℓ �→ lookup (1) Commands: c �→ c (2) : 1 → 1 ◮ skip �→ id (0) 1 ◮ c 1 ; c 2 �→ c 1 • c 2 ◮ ℓ := a �→ a • update (2) Programs: pg �→ pg (2) : 1 → Expr ◮ c ; return ( e ) �→ c • e

� � Forward semantics Given a program pg (2) : 1 → Expr , find a result rs (0) : 1 → Expr such that pg ∼ st rs This means that pg : S → S × Expr and rs : 1 → Expr satisfy: pg ( s ) = ( s ′ , rs ( x )) for some s ′ pg S S × Expr = ε Expr ε 1 � � Expr 1 u This requires an initialization of the state and the derived strong equation: for each u (0) : 1 → A u • update • lookup ≡ u • update • u Method: ◮ first ≡ is used inductively, by replacement ◮ until finally ∼ st can be used, by pure replacement This corresponds to an operational semantics.

� � � � Forward semantics: an example Initialization: ℓ := u (0) for any u (0) : 1 → A The given program is ℓ := u ; ℓ := s ( ℓ ); return ( p ( ℓ )) translated as: pg (2) = u (0) • update (2) • lookup (1) • s (0) • update (2) • lookup (1) • p (0) update � 1 lookup � A update � 1 lookup � A p u s � A � A 1 A ≡ p update � 1 update � 1 lookup � A u u s � A � A � A A 1 ≡ update � 1 update � 1 p u u s u • s � A � A � A � A 1 A ≡ u update � 1 u s update � 1 u � A � A � A A 1 ∼ id u � A � 1 1 Conclusion: pg (2) ∼ st rs (0) where rs (0) = u . The result is u

� � Backward semantics Given a program pg = c ; return ( post ) : 1 → Expr , find an expression pre : 1 → Expr such that pg ∼ st return ( pre ) This means that c , post and pre satisfy: c (2) post ( c ( s )) = pre ( s ) S S pre (1) � = post (1) � Expr Expr id (0) This requires only the weak equation: update • lookup ∼ st id A Method: ◮ ∼ st is used inductively, by substitution and pure replacement ◮ until finally ≡ is used for simplifying pure terms When Expr = B this corresponds to a weakest precondition semantics (here with a restricted language for conditions)

� Backward semantics: an example The given program is ℓ := s ( ℓ ); ℓ := s ( ℓ ); return ( p ( ℓ )) translated as: pg (2) = lookup (1) • s (0) • update (2) • lookup (1) • s (0) • update (2) • lookup (1) • p (0) p lookup � A s update � 1 lookup � A s update � lookup � A � A � A � A 1 1 ∼ lookup � A update � lookup � A p s s id � A � A � A � A 1 1 ∼ p lookup � A s id s id � A � A � A � A 1 A ≡ lookup � A s � A 1 Conclusion: pg (2) ∼ st lookup • s (0) . The “pre-expression” is s ( ℓ )

Outline

The language XS-IMP-EX Syntax Expressions: as in XS-IMP Commands: c ::= skip | c ; c | ℓ := a | throw | try ( c ) catch ( c ) Programs: pg ::= c ; return ( e ) Restriction (easy to remove): ◮ only one exception name (thus, omitted)