Permissions and concurrency: a breakthrough and a Grand Challenge - PowerPoint PPT Presentation

Separation logic ◮ Just a bastard child of BI (Pym, O’Hearn). ◮ E �→ E ′ (points to) is permission to read/write/dispose cell at heap address E with contents E ′ . ◮ �→ can also be read as ownership and/or a heap predicate. ◮ emp is no permission. ◮ A ⋆ B (star) is separation of resource. ◮ A ∧ B (and) is identity of resource. 7

Separation logic ◮ Just a bastard child of BI (Pym, O’Hearn). ◮ E �→ E ′ (points to) is permission to read/write/dispose cell at heap address E with contents E ′ . ◮ �→ can also be read as ownership and/or a heap predicate. ◮ emp is no permission. ◮ A ⋆ B (star) is separation of resource. ◮ A ∧ B (and) is identity of resource. ◮ A ∧ ( B ⋆ true) is all A , partly B . 7

Framing, hence small axioms blank 8

Framing, hence small axioms { Q } C { R } ( modifies C ∩ vars P = ∅ ) { P ⋆ Q } C { P ⋆ R } blank 8

Framing, hence small axioms { Q } C { R } ( modifies C ∩ vars P = ∅ ) { P ⋆ Q } C { P ⋆ R } blank { R x E } x := E { R } { x �→ } [ x ]:= E { x �→ E } { E ′ �→ E } { E ′ �→ E ∧ x = E } ( x not free in E , E ′ ) x :=[ E ′ ] { emp } x := new ( E ) { x �→ E } { E �→ } dispose E { emp } 8

Concurrency rules blank blank 9

Concurrency rules { Q 1 } C 1 { R 1 } · · · { Q n } C n { R n } (non-interference-of-variables) { Q 1 ⋆ · · · ⋆ Q n } ( C 1 � · · · � C n ) { R 1 ⋆ · · · ⋆ R n } blank blank 9

Concurrency rules { Q 1 } C 1 { R 1 } · · · { Q n } C n { R n } (non-interference-of-variables) { Q 1 ⋆ · · · ⋆ Q n } ( C 1 � · · · � C n ) { R 1 ⋆ · · · ⋆ R n } blank { ( Q ⋆ I r ) ∧ B } C { R ⋆ I r } { Q } with r when B do C od { R } blank 9

Concurrency rules { Q 1 } C 1 { R 1 } · · · { Q n } C n { R n } (non-interference-of-variables) { Q 1 ⋆ · · · ⋆ Q n } ( C 1 � · · · � C n ) { R 1 ⋆ · · · ⋆ R n } blank { ( Q ⋆ I r ) ∧ B } C { R ⋆ I r } { Q } with r when B do C od { R } blank ◮ Both proved sound by Brookes. 9

Concurrency rules { Q 1 } C 1 { R 1 } · · · { Q n } C n { R n } (non-interference-of-variables) { Q 1 ⋆ · · · ⋆ Q n } ( C 1 � · · · � C n ) { R 1 ⋆ · · · ⋆ R n } blank { ( Q ⋆ I r ) ∧ B } C { R ⋆ I r } { Q } with r when B do C od { R } blank ◮ Both proved sound by Brookes. ◮ A version of the CCR rule covers semaphores, in which C is either m := m + 1 or m := m − 1. 9

The ownership trick (O’Hearn 2002) resource-bundle r : Vars full , b ; full := false; Invariant ( full ∧ b �→ ) ∨ ( ¬ full ∧ emp ) blank   { emp } { emp } x := new (); with r when full do     { x �→ } { full ∧ b �→ ⋆ emp }     with r when ¬ full do y := b ;     {¬ full ∧ emp ⋆ x �→ } { full ∧ b �→ ⋆ emp ∧ y = b }     b := x ; full := false     {¬ full ∧ emp ⋆ x �→ ∧ b = x } {¬ full ∧ emp ⋆ y �→ }     full := true od;     { full ∧ b �→ ⋆ emp } { y �→ }      od  dispose y   { emp } { emp } 10

The ownership trick (O’Hearn 2002) resource-bundle r : Vars full , b ; full := false; Invariant ( full ∧ b �→ ) ∨ ( ¬ full ∧ emp ) blank   { emp } { emp } x := new (); with r when full do     { x �→ } { full ∧ b �→ ⋆ emp }     with r when ¬ full do y := b ;     {¬ full ∧ emp ⋆ x �→ } { full ∧ b �→ ⋆ emp ∧ y = b }     b := x ; full := false     {¬ full ∧ emp ⋆ x �→ ∧ b = x } {¬ full ∧ emp ⋆ y �→ }     full := true od;     { full ∧ b �→ ⋆ emp } { y �→ }      od  dispose y   { emp } { emp } 10

The ownership trick (O’Hearn 2002) resource-bundle r : Vars full , b ; full := false; Invariant ( full ∧ b �→ ) ∨ ( ¬ full ∧ emp ) blank   { emp } { emp } x := new (); with r when full do     { x �→ } { full ∧ b �→ ⋆ emp }     with r when ¬ full do y := b ;     {¬ full ∧ emp ⋆ x �→ } { full ∧ b �→ ⋆ emp ∧ y = b }     b := x ; full := false     {¬ full ∧ emp ⋆ x �→ ∧ b = x } {¬ full ∧ emp ⋆ y �→ }     full := true od;     { full ∧ b �→ ⋆ emp } { y �→ }      od  dispose y   { emp } { emp } 10

The ownership trick (O’Hearn 2002) resource-bundle r : Vars full , b ; full := false; Invariant ( full ∧ b �→ ) ∨ ( ¬ full ∧ emp ) blank   { emp } { emp } x := new (); with r when full do     { x �→ } { full ∧ b �→ ⋆ emp }     with r when ¬ full do y := b ;     {¬ full ∧ emp ⋆ x �→ } { full ∧ b �→ ⋆ emp ∧ y = b }     b := x ; full := false     {¬ full ∧ emp ⋆ x �→ ∧ b = x } {¬ full ∧ emp ⋆ y �→ }     full := true od;     { full ∧ b �→ ⋆ emp } { y �→ }      od  dispose y   { emp } { emp } 10

The ownership trick (O’Hearn 2002) resource-bundle r : Vars full , b ; full := false; Invariant ( full ∧ b �→ ) ∨ ( ¬ full ∧ emp ) blank   { emp } { emp } x := new (); with r when full do     { x �→ } { full ∧ b �→ ⋆ emp }     with r when ¬ full do y := b ;     {¬ full ∧ emp ⋆ x �→ } { full ∧ b �→ ⋆ emp ∧ y = b }     b := x ; full := false     {¬ full ∧ emp ⋆ x �→ ∧ b = x } {¬ full ∧ emp ⋆ y �→ }     full := true od;     { full ∧ b �→ ⋆ emp } { y �→ }      od  dispose y   { emp } { emp } 10

The ownership trick (O’Hearn 2002) resource-bundle r : Vars full , b ; full := false; Invariant ( full ∧ b �→ ) ∨ ( ¬ full ∧ emp ) blank   { emp } { emp } x := new (); with r when full do     { x �→ } { full ∧ b �→ ⋆ emp }     with r when ¬ full do y := b ;     {¬ full ∧ emp ⋆ x �→ } { full ∧ b �→ ⋆ emp ∧ y = b }     b := x ; full := false     {¬ full ∧ emp ⋆ x �→ ∧ b = x } {¬ full ∧ emp ⋆ y �→ }     full := true od;     { full ∧ b �→ ⋆ emp } { y �→ }      od  dispose y   { emp } { emp } 10

The ownership trick (O’Hearn 2002) resource-bundle r : Vars full , b ; full := false; Invariant ( full ∧ b �→ ) ∨ ( ¬ full ∧ emp ) blank   { emp } { emp } x := new (); with r when full do     { x �→ } { full ∧ b �→ ⋆ emp }     with r when ¬ full do y := b ;     {¬ full ∧ emp ⋆ x �→ } { full ∧ b �→ ⋆ emp ∧ y = b }     b := x ; full := false     {¬ full ∧ emp ⋆ x �→ ∧ b = x } {¬ full ∧ emp ⋆ y �→ }     full := true od;     { full ∧ b �→ ⋆ emp } { y �→ }      od  dispose y   { emp } { emp } 10

The ownership trick (O’Hearn 2002) resource-bundle r : Vars full , b ; full := false; Invariant ( full ∧ b �→ ) ∨ ( ¬ full ∧ emp ) blank   { emp } { emp } x := new (); with r when full do     { x �→ } { full ∧ b �→ ⋆ emp }     with r when ¬ full do y := b ;     {¬ full ∧ emp ⋆ x �→ } { full ∧ b �→ ⋆ emp ∧ y = b }     b := x ; full := false     {¬ full ∧ emp ⋆ x �→ ∧ b = x } {¬ full ∧ emp ⋆ y �→ }     full := true od;     { full ∧ b �→ ⋆ emp } { y �→ }      od  dispose y   { emp } { emp } 10

The ownership trick (O’Hearn 2002) resource-bundle r : Vars full , b ; full := false; Invariant ( full ∧ b �→ ) ∨ ( ¬ full ∧ emp ) blank   { emp } { emp } x := new (); with r when full do     { x �→ } { full ∧ b �→ ⋆ emp }     with r when ¬ full do y := b ;     {¬ full ∧ emp ⋆ x �→ } { full ∧ b �→ ⋆ emp ∧ y = b }     b := x ; full := false     {¬ full ∧ emp ⋆ x �→ ∧ b = x } {¬ full ∧ emp ⋆ y �→ }     full := true od;     { full ∧ b �→ ⋆ emp } { y �→ }      od  dispose y   { emp } { emp } 10

The ownership trick (O’Hearn 2002) resource-bundle r : Vars full , b ; full := false; Invariant ( full ∧ b �→ ) ∨ ( ¬ full ∧ emp ) blank   { emp } { emp } x := new (); with r when full do     { x �→ } { full ∧ b �→ ⋆ emp }     with r when ¬ full do y := b ;     {¬ full ∧ emp ⋆ x �→ } { full ∧ b �→ ⋆ emp ∧ y = b }     b := x ; full := false     {¬ full ∧ emp ⋆ x �→ ∧ b = x } {¬ full ∧ emp ⋆ y �→ }     full := true od;     { full ∧ b �→ ⋆ emp } { y �→ }      od  dispose y   { emp } { emp } 10

The ownership trick (O’Hearn 2002) resource-bundle r : Vars full , b ; full := false; Invariant ( full ∧ b �→ ) ∨ ( ¬ full ∧ emp ) blank   { emp } { emp } x := new (); with r when full do     { x �→ } { full ∧ b �→ ⋆ emp }     with r when ¬ full do y := b ;     {¬ full ∧ emp ⋆ x �→ } { full ∧ b �→ ⋆ emp ∧ y = b }     b := x ; full := false     {¬ full ∧ emp ⋆ x �→ ∧ b = x } {¬ full ∧ emp ⋆ y �→ }     full := true od;     { full ∧ b �→ ⋆ emp } { y �→ }      od  dispose y   { emp } { emp } 10

Passivity 11

Passivity ◮ Passivity is a property of a program and a resource: the program doesn’t change the contents of the resource. 11

Passivity ◮ Passivity is a property of a program and a resource: the program doesn’t change the contents of the resource. ◮ We want to specify passivity by specifying a read-only resource. 11

Passivity ◮ Passivity is a property of a program and a resource: the program doesn’t change the contents of the resource. ◮ We want to specify passivity by specifying a read-only resource. ◮ We require that a program, given a read-only resource, cannot change its contents. 11

Splitting and sharing 12

Splitting and sharing ◮ Since Dijkstra, we have known that we can safely share read-only resources. 12

Splitting and sharing ◮ Since Dijkstra, we have known that we can safely share read-only resources. ◮ Total permission E �→ E ′ , given by new, allows read/write/dispose. 12

Splitting and sharing ◮ Since Dijkstra, we have known that we can safely share read-only resources. ◮ Total permission E �→ E ′ , given by new, allows read/write/dispose. ◮ Concurrent read permissions must be ( ⋆ ) separable, because of the concurrency rule. 12

Accounting 13

Accounting ◮ Splitting into multiple read permissions is easy. 13

Accounting ◮ Splitting into multiple read permissions is easy. ◮ To write or dispose we have to know when we have all the read permissions back. 13

Accounting ◮ Splitting into multiple read permissions is easy. ◮ To write or dispose we have to know when we have all the read permissions back. ◮ A program which doesn’t keep account leaks resource. 13

Boyland’s suggestion: 1 2 + 1 2 = 1 14

Boyland’s suggestion: 1 2 + 1 2 = 1 ◮ Boyland (Wisconsin) developed a means of permission accounting in disjoint concurrency, dealing with variables and heap locations. 14

Boyland’s suggestion: 1 2 + 1 2 = 1 ◮ Boyland (Wisconsin) developed a means of permission accounting in disjoint concurrency, dealing with variables and heap locations. ◮ He associates a number z with each permission: z = 1 total; 0 < z < 1 read-only. 14

Boyland’s suggestion: 1 2 + 1 2 = 1 ◮ Boyland (Wisconsin) developed a means of permission accounting in disjoint concurrency, dealing with variables and heap locations. ◮ He associates a number z with each permission: z = 1 total; 0 < z < 1 read-only. ◮ Fractional permissions are specification-only (cf. types). 14

Boyland’s suggestion: 1 2 + 1 2 = 1 ◮ Boyland (Wisconsin) developed a means of permission accounting in disjoint concurrency, dealing with variables and heap locations. ◮ He associates a number z with each permission: z = 1 total; 0 < z < 1 read-only. ◮ Fractional permissions are specification-only (cf. types). ◮ In practice the arithmetic is very easy: fractions are simpler to use than (e.g.) sets of binary trees. 14

Boyland’s suggestion: 1 2 + 1 2 = 1 ◮ Boyland (Wisconsin) developed a means of permission accounting in disjoint concurrency, dealing with variables and heap locations. ◮ He associates a number z with each permission: z = 1 total; 0 < z < 1 read-only. ◮ Fractional permissions are specification-only (cf. types). ◮ In practice the arithmetic is very easy: fractions are simpler to use than (e.g.) sets of binary trees. ◮ The magnitude of non-integral fractions doesn’t matter, except as a matter of accounting. 14

A fractional model (Calcagno, O’Hearn) 15

A fractional model (Calcagno, O’Hearn) ◮ Heaps are partial maps from Nat to (int, fraction). (Previously Nat to int.) 15

A fractional model (Calcagno, O’Hearn) ◮ Heaps are partial maps from Nat to (int, fraction). (Previously Nat to int.) ◮ A simpler model – just read / total permissions – fails to account and doesn’t have the frame property. 15

Proof theory blank 16

Proof theory E �− → z E ′ ⇒ 0 < z ≤ 1 z + z ′ E ′ ∧ z > 0 ∧ z ′ > 0 ⇐ z E ′ ⋆ E �− E �− − − − → ⇒ E �− → − → z ′ E ′ blank 16

Proof theory E �− → z E ′ ⇒ 0 < z ≤ 1 z + z ′ E ′ ∧ z > 0 ∧ z ′ > 0 ⇐ z E ′ ⋆ E �− E �− − − − → ⇒ E �− → − → z ′ E ′ blank { R x E } x := E { R } { E ′ �− { E ′ �− → } [ E ′ ]:= E → 1 E } 1 { E ′ �− { E ′ �− → z E } x :=[ E ′ ] → z E ∧ x = E } ( x not free in E , E ′ ) { emp } x := new ( E ) { x �− → 1 E } { E �− → } dispose E { emp } 1 16

Proof theory E �− → z E ′ ⇒ 0 < z ≤ 1 z + z ′ E ′ ∧ z > 0 ∧ z ′ > 0 ⇐ z E ′ ⋆ E �− E �− − − − → ⇒ E �− → − → z ′ E ′ blank { R x E } x := E { R } { E ′ �− { E ′ �− → } [ E ′ ]:= E → 1 E } 1 { E ′ �− { E ′ �− → z E } x :=[ E ′ ] → z E ∧ x = E } ( x not free in E , E ′ ) { emp } x := new ( E ) { x �− → 1 E } { E �− → } dispose E { emp } 1 ◮ Not (yet) proved sound by Brookes. (But surely ...) 16

Proof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ] z := [ x ] + 1  ;    { x �− − 0 . 5 1 ∧ y = 1 } − → { x �− − 0 . 5 1 ∧ z = 2 } − → { ( x �− − 0 . 5 1 ∧ y = 1 ) ⋆ ( x �− − → − 0 . 5 1 ∧ z = 2 ) } ∴ { x �− − → → 1 1 ∧ y = 1 ∧ z = 2 } dispose x { emp ∧ y = 1 ∧ z = 2 } 17

Proof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ] z := [ x ] + 1  ;    { x �− − 0 . 5 1 ∧ y = 1 } − → { x �− − 0 . 5 1 ∧ z = 2 } − → { ( x �− − 0 . 5 1 ∧ y = 1 ) ⋆ ( x �− − → − 0 . 5 1 ∧ z = 2 ) } ∴ { x �− − → → 1 1 ∧ y = 1 ∧ z = 2 } dispose x { emp ∧ y = 1 ∧ z = 2 } 17

Proof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ] z := [ x ] + 1  ;    { x �− − 0 . 5 1 ∧ y = 1 } − → { x �− − 0 . 5 1 ∧ z = 2 } − → { ( x �− − 0 . 5 1 ∧ y = 1 ) ⋆ ( x �− − → − 0 . 5 1 ∧ z = 2 ) } ∴ { x �− − → → 1 1 ∧ y = 1 ∧ z = 2 } dispose x { emp ∧ y = 1 ∧ z = 2 } 17

Proof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ] z := [ x ] + 1  ;    { x �− − 0 . 5 1 ∧ y = 1 } − → { x �− − 0 . 5 1 ∧ z = 2 } − → { ( x �− − 0 . 5 1 ∧ y = 1 ) ⋆ ( x �− − → − 0 . 5 1 ∧ z = 2 ) } ∴ { x �− − → → 1 1 ∧ y = 1 ∧ z = 2 } dispose x { emp ∧ y = 1 ∧ z = 2 } 17

Proof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ] z := [ x ] + 1  ;    { x �− − 0 . 5 1 ∧ y = 1 } − → { x �− − 0 . 5 1 ∧ z = 2 } − → { ( x �− − 0 . 5 1 ∧ y = 1 ) ⋆ ( x �− − → − 0 . 5 1 ∧ z = 2 ) } ∴ { x �− − → → 1 1 ∧ y = 1 ∧ z = 2 } dispose x { emp ∧ y = 1 ∧ z = 2 } 17

Proof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ] z := [ x ] + 1  ;    { x �− − 0 . 5 1 ∧ y = 1 } − → { x �− − 0 . 5 1 ∧ z = 2 } − → { ( x �− − 0 . 5 1 ∧ y = 1 ) ⋆ ( x �− − → − 0 . 5 1 ∧ z = 2 ) } ∴ { x �− − → → 1 1 ∧ y = 1 ∧ z = 2 } dispose x { emp ∧ y = 1 ∧ z = 2 } 17

Proof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ] z := [ x ] + 1  ;    { x �− − 0 . 5 1 ∧ y = 1 } − → { x �− − 0 . 5 1 ∧ z = 2 } − → { ( x �− − 0 . 5 1 ∧ y = 1 ) ⋆ ( x �− − → − 0 . 5 1 ∧ z = 2 ) } ∴ { x �− − → → 1 1 ∧ y = 1 ∧ z = 2 } dispose x { emp ∧ y = 1 ∧ z = 2 } 17

Proof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ] z := [ x ] + 1  ;    { x �− − 0 . 5 1 ∧ y = 1 } − → { x �− − 0 . 5 1 ∧ z = 2 } − → { ( x �− − 0 . 5 1 ∧ y = 1 ) ⋆ ( x �− − → − 0 . 5 1 ∧ z = 2 ) } ∴ { x �− − → → 1 1 ∧ y = 1 ∧ z = 2 } dispose x { emp ∧ y = 1 ∧ z = 2 } 17

Proof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ] z := [ x ] + 1  ;    { x �− − 0 . 5 1 ∧ y = 1 } − → { x �− − 0 . 5 1 ∧ z = 2 } − → { ( x �− − 0 . 5 1 ∧ y = 1 ) ⋆ ( x �− − → − 0 . 5 1 ∧ z = 2 ) } ∴ { x �− − → → 1 1 ∧ y = 1 ∧ z = 2 } dispose x { emp ∧ y = 1 ∧ z = 2 } 17

Proof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ] z := [ x ] + 1  ;    { x �− − 0 . 5 1 ∧ y = 1 } − → { x �− − 0 . 5 1 ∧ z = 2 } − → { ( x �− − 0 . 5 1 ∧ y = 1 ) ⋆ ( x �− − → − 0 . 5 1 ∧ z = 2 ) } ∴ { x �− − → → 1 1 ∧ y = 1 ∧ z = 2 } dispose x { emp ∧ y = 1 ∧ z = 2 } ◮ That is exactly how hard it is to use fractional permissions. 17

UnProof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ]; [ x ] := 2 ;     { x �− − 0 . 5 1 ∧ y = 1 } − → { ?? }      z := [ x ] + 1  dispose x   { ?? } { ?? } { ?? } [ x ] := y + z 18

UnProof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ]; [ x ] := 2 ;     { x �− − 0 . 5 1 ∧ y = 1 } − → { ?? }      z := [ x ] + 1  dispose x   { ?? } { ?? } { ?? } [ x ] := y + z 18

UnProof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ]; [ x ] := 2 ;     { x �− − 0 . 5 1 ∧ y = 1 } − → { ?? }      z := [ x ] + 1  dispose x   { ?? } { ?? } { ?? } [ x ] := y + z 18

UnProof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ]; [ x ] := 2 ;     { x �− − 0 . 5 1 ∧ y = 1 } − → { ?? }      z := [ x ] + 1  dispose x   { ?? } { ?? } { ?? } [ x ] := y + z 18

UnProof { emp } x := new (); { x �− → } 1 [ x ] := 1 ; { x �− → 1 1 } ∴ { x �− − 0 . 5 1 ⋆ x �− − → − 0 . 5 1 } − →   { x �− − 0 . 5 1 } − → { x �− − 0 . 5 1 } − → y := [ x ]; [ x ] := 2 ;     { x �− − 0 . 5 1 ∧ y = 1 } − → { ?? }      z := [ x ] + 1  dispose x   { ?? } { ?? } { ?? } [ x ] := y + z 18

Passivity and fractions Termination Monotonicity: if C must terminate normally in h and h ⋆ h ′ is defined, then C must terminate normally in h ⋆ h ′ . 19

Passivity and fractions Termination Monotonicity: if C must terminate normally in h and h ⋆ h ′ is defined, then C must terminate normally in h ⋆ h ′ . ◮ We can prove termination monotonicity for all commands in our language. 19

Passivity and fractions Termination Monotonicity: if C must terminate normally in h and h ⋆ h ′ is defined, then C must terminate normally in h ⋆ h ′ . ◮ We can prove termination monotonicity for all commands in our language. ◮ Suppose { 10 �− − 0 . 5 N } C { 10 �− − → − 0 . 5 N + 1 } , and it terminates. − → 19