Program contexts (1) Singular program contexts: e | params � E ::= E S | block b � | call f � b where: ◮ block b � associates a block scope variable with its corresponding memory index b ◮ call f � e contains the location of the caller so that it can be restored when f returns ◮ params � b contains the memory indexes of the function parameters
Program contexts (1) Singular program contexts: e | params � E ::= E S | block b � | call f � b where: ◮ block b � associates a block scope variable with its corresponding memory index b ◮ call f � e contains the location of the caller so that it can be restored when f returns ◮ params � b contains the memory indexes of the function parameters Program contexts k are lists of singular program contexts
Program contexts (2) ◮ Program contexts contain the stack: getstack ( E S :: k ) := getstack k getstack ( block b � :: k ) := b :: getstack k getstack (call f � e :: k ) := [ ] getstack (params � b :: k ) := � b + + getstack k
Program contexts (2) ◮ Program contexts contain the stack: getstack ( E S :: k ) := getstack k getstack ( block b � :: k ) := b :: getstack k getstack (call f � e :: k ) := [ ] getstack (params � b :: k ) := � b + + getstack k ◮ Remark: not getstack (call f � e :: k ) := getstack k
States A state S ( k , φ, m ) consists of a program context k , focus φ , and memory m
States A state S ( k , φ, m ) consists of a program context k , focus φ , and memory m We consider the following focuses: ◮ ( d , s ) execution of a statement s in direction d
States A state S ( k , φ, m ) consists of a program context k , focus φ , and memory m We consider the following focuses: ◮ ( d , s ) execution of a statement s in direction d ◮ call f � v calling a function f ( � v )
States A state S ( k , φ, m ) consists of a program context k , focus φ , and memory m We consider the following focuses: ◮ ( d , s ) execution of a statement s in direction d ◮ call f � v calling a function f ( � v ) ◮ return returning from a function
Example The corresponding state is S ( k , φ, m ), where: int *p = NULL ◮ k = [ � ; goto l , l: x 0 := int 10 ; � , if (p) block b j � , if ( load x 0 ) return � , return int j = 10 l : � , x 0 := NULL ; � , ; block b p � p = &j goto l ] ◮ φ = ( ր , x 1 := x 0 ) ◮ m = { b p �→ ptr b j , b j �→ 10 }
The small step semantics Some rules: ◮ S ( k , ( ց , e 1 := e 2 ) , m ) � S ( k , ( ր , e 1 := e 2 ) , m [ a := v ]) for a and v s.t. [ [ e 1 ] ] k , m = ptr a , [ [ e 2 ] ] k , m = v and m a � = ⊥ .
The small step semantics Some rules: ◮ S ( k , ( ց , e 1 := e 2 ) , m ) � S ( k , ( ր , e 1 := e 2 ) , m [ a := v ]) for a and v s.t. [ [ e 1 ] ] k , m = ptr a , [ [ e 2 ] ] k , m = v and m a � = ⊥ . ◮ S ( k , ( ց , s 1 ; s 2 ) , m ) � S (( � ; s 2 ) :: k , ( ց , s 1 ) , m )
The small step semantics Some rules: ◮ S ( k , ( ց , e 1 := e 2 ) , m ) � S ( k , ( ր , e 1 := e 2 ) , m [ a := v ]) for a and v s.t. [ [ e 1 ] ] k , m = ptr a , [ [ e 2 ] ] k , m = v and m a � = ⊥ . ◮ S ( k , ( ց , s 1 ; s 2 ) , m ) � S (( � ; s 2 ) :: k , ( ց , s 1 ) , m ) ◮ S (( � ; s 2 ) :: k , ( ր , s 1 ) , m ) � S (( s 1 ; � ) :: k , ( ց , s 2 ) , m )
The small step semantics Some rules: ◮ S ( k , ( ց , e 1 := e 2 ) , m ) � S ( k , ( ր , e 1 := e 2 ) , m [ a := v ]) for a and v s.t. [ [ e 1 ] ] k , m = ptr a , [ [ e 2 ] ] k , m = v and m a � = ⊥ . ◮ S ( k , ( ց , s 1 ; s 2 ) , m ) � S (( � ; s 2 ) :: k , ( ց , s 1 ) , m ) ◮ S (( � ; s 2 ) :: k , ( ր , s 1 ) , m ) � S (( s 1 ; � ) :: k , ( ց , s 2 ) , m ) ◮ S (( s 1 ; � ) :: k , ( ր , s 2 ) , m ) � S ( k , ( ր , s 1 ; s 2 ) , m )
The small step semantics Some rules: ◮ S ( k , ( ց , e 1 := e 2 ) , m ) � S ( k , ( ր , e 1 := e 2 ) , m [ a := v ]) for a and v s.t. [ [ e 1 ] ] k , m = ptr a , [ [ e 2 ] ] k , m = v and m a � = ⊥ . ◮ S ( k , ( ց , s 1 ; s 2 ) , m ) � S (( � ; s 2 ) :: k , ( ց , s 1 ) , m ) ◮ S (( � ; s 2 ) :: k , ( ր , s 1 ) , m ) � S (( s 1 ; � ) :: k , ( ց , s 2 ) , m ) ◮ S (( s 1 ; � ) :: k , ( ր , s 2 ) , m ) � S ( k , ( ր , s 1 ; s 2 ) , m ) ◮ S ( k , ( ց , goto l ) , m ) � S ( k , ( � l , goto l ) , m )
The small step semantics Some rules: ◮ S ( k , ( ց , e 1 := e 2 ) , m ) � S ( k , ( ր , e 1 := e 2 ) , m [ a := v ]) for a and v s.t. [ [ e 1 ] ] k , m = ptr a , [ [ e 2 ] ] k , m = v and m a � = ⊥ . ◮ S ( k , ( ց , s 1 ; s 2 ) , m ) � S (( � ; s 2 ) :: k , ( ց , s 1 ) , m ) ◮ S (( � ; s 2 ) :: k , ( ր , s 1 ) , m ) � S (( s 1 ; � ) :: k , ( ց , s 2 ) , m ) ◮ S (( s 1 ; � ) :: k , ( ր , s 2 ) , m ) � S ( k , ( ր , s 1 ; s 2 ) , m ) ◮ S ( k , ( ց , goto l ) , m ) � S ( k , ( � l , goto l ) , m ) ◮ S ( k , ( � l , l : s ) , m ) � S (( l : � ) :: k , ( ց , s ) , m )
The small step semantics Some rules: ◮ S ( k , ( ց , e 1 := e 2 ) , m ) � S ( k , ( ր , e 1 := e 2 ) , m [ a := v ]) for a and v s.t. [ [ e 1 ] ] k , m = ptr a , [ [ e 2 ] ] k , m = v and m a � = ⊥ . ◮ S ( k , ( ց , s 1 ; s 2 ) , m ) � S (( � ; s 2 ) :: k , ( ց , s 1 ) , m ) ◮ S (( � ; s 2 ) :: k , ( ր , s 1 ) , m ) � S (( s 1 ; � ) :: k , ( ց , s 2 ) , m ) ◮ S (( s 1 ; � ) :: k , ( ր , s 2 ) , m ) � S ( k , ( ր , s 1 ; s 2 ) , m ) ◮ S ( k , ( ց , goto l ) , m ) � S ( k , ( � l , goto l ) , m ) ◮ S ( k , ( � l , l : s ) , m ) � S (( l : � ) :: k , ( ց , s ) , m ) ◮ S ( k , ( ց , f ( � e )) , m ) � S (call f � e :: k , call f � v , m ) provided that [ [ e i ] ] k , m = v i for each i
The small step semantics Lemma The small step semantics behaves as traversing through a zipper. That is, if S ( k , ( d , s ) , m ) � ∗ k S ( k , ( d ′ , s ′ ) , m ′ ) then s = s ′ .
Hoare triples Traditional Hoare triples are of the shape { P } s { Q } Intuitive meaning: ◮ If P holds for the state before execution of s , ◮ and execution of s terminates, ◮ then Q will hold afterwards
Extended Hoare ‘triples’ (1) Our Hoare sextuples are of the shape ∆; J ; R ⊢ { P } s { Q }
Extended Hoare ‘triples’ (1) Our Hoare sextuples are of the shape ∆; J ; R ⊢ { P } s { Q } where: ◮ ∆ maps function names to their pre- and postconditions
Extended Hoare ‘triples’ (1) Our Hoare sextuples are of the shape ∆; J ; R ⊢ { P } s { Q } where: ◮ ∆ maps function names to their pre- and postconditions ◮ J maps labels to their jumping condition When executing a goto l , the assertion J l has to hold
Extended Hoare ‘triples’ (1) Our Hoare sextuples are of the shape ∆; J ; R ⊢ { P } s { Q } where: ◮ ∆ maps function names to their pre- and postconditions ◮ J maps labels to their jumping condition When executing a goto l , the assertion J l has to hold ◮ R has to hold to execute a return
Extended Hoare ‘triples’ (2) Our Hoare sextuples are of the shape ∆; J ; R ⊢ { P } s { Q } Observations: ◮ The assertions P , Q , J and R correspond to the four directions ց , ր , � and ↑ ↑
Extended Hoare ‘triples’ (2) Our Hoare sextuples are of the shape ∆; J ; R ⊢ { P } s { Q } Observations: ◮ The assertions P , Q , J and R correspond to the four directions ց , ր , � and ↑ ↑ ◮ We thus treat the sextuple as ∆; ¯ P ⊢ s where ¯ P ց = P , ¯ P ր = Q , ¯ P ( � l ) = J l and ¯ ↑ = R P ↑
Some Hoare rules Weakening: ( ∀ l ∈ labels s . J ′ l → Jl ) ∈ labels s . Jl → J ′ l ) R → R ′ ( ∀ l / P ′ → P Q → Q ′ ∆; J ; R ⊢ { P } s { Q } ∆; J ′ ; R ′ ⊢ { P ′ } s { Q ′ }
Some Hoare rules Weakening: ( ∀ l ∈ labels s . J ′ l → Jl ) ∈ labels s . Jl → J ′ l ) R → R ′ ( ∀ l / P ′ → P Q → Q ′ ∆; J ; R ⊢ { P } s { Q } ∆; J ′ ; R ′ ⊢ { P ′ } s { Q ′ } Composition: ∆; J ; R ⊢ { P } s 1 { P ′ } ∆; J ; R ⊢ { P ′ } s 2 { Q } ∆; J ; R ⊢ { P } s 1 ; s 2 { Q }
Some Hoare rules Weakening: ( ∀ l ∈ labels s . J ′ l → Jl ) ∈ labels s . Jl → J ′ l ) R → R ′ ( ∀ l / P ′ → P Q → Q ′ ∆; J ; R ⊢ { P } s { Q } ∆; J ′ ; R ′ ⊢ { P ′ } s { Q ′ } Composition: ∆; J ; R ⊢ { P } s 1 { P ′ } ∆; J ; R ⊢ { P ′ } s 2 { Q } ∆; J ; R ⊢ { P } s 1 ; s 2 { Q } Non-local control: ∆; J ; R ⊢ { R } return { Q }
Some Hoare rules Weakening: ( ∀ l ∈ labels s . J ′ l → Jl ) ∈ labels s . Jl → J ′ l ) R → R ′ ( ∀ l / P ′ → P Q → Q ′ ∆; J ; R ⊢ { P } s { Q } ∆; J ′ ; R ′ ⊢ { P ′ } s { Q ′ } Composition: ∆; J ; R ⊢ { P } s 1 { P ′ } ∆; J ; R ⊢ { P ′ } s 2 { Q } ∆; J ; R ⊢ { P } s 1 ; s 2 { Q } Non-local control: ∆; J ; R ⊢ { R } return { Q } ∆; J ; R ⊢ { J l } s { Q } ∆; J ; R ⊢ { J l } goto l { Q } ∆; J ; R ⊢ { J l } l : s { Q }
The frame rule Used for local reasoning ∆; J ; R ⊢ { P } s { Q } ∆; J ∗ A ; R ∗ A ⊢ { P ∗ A } s { Q ∗ A }
The frame rule Used for local reasoning ∆; J ; R ⊢ { P } s { Q } ∆; J ∗ A ; R ∗ A ⊢ { P ∗ A } s { Q ∗ A } Using our alternative notation: ∆; ¯ P ⊢ s ∆; ¯ P ∗ A ⊢ s
The block scope variable rule The assertion A ↑ lifts the DeBruijn indexes in A ∆; J ↑ ∗ x 0 �→ -; R ↑ ∗ x 0 �→ - ⊢ { P ↑ ∗ x 0 �→ - } s { Q ↑ ∗ x 0 �→ - } ∆; J ; R ⊢ { P } block s { Q }
The block scope variable rule The assertion A ↑ lifts the DeBruijn indexes in A ∆; J ↑ ∗ x 0 �→ -; R ↑ ∗ x 0 �→ - ⊢ { P ↑ ∗ x 0 �→ - } s { Q ↑ ∗ x 0 �→ - } ∆; J ; R ⊢ { P } block s { Q } Using our alternative notation ∆; ¯ P ↑ ∗ x 0 �→ - ⊢ s ∆; ¯ P ⊢ block s
Example void swap(int *p, int *q) { int z = *p; *p = *q; *q = z; }
Example { x 0 �→ p ∗ x 1 �→ q ∗ p �→ y ∗ q �→ z } block ( x 0 := load ( load x 1 ) ; load x 1 := load ( load x 2 ) ; load x 2 := load x 0 ) { x 0 �→ p ∗ x 1 �→ q ∗ p �→ z ∗ q �→ y }
Example { x 0 �→ p ∗ x 1 �→ q ∗ p �→ y ∗ q �→ z } block ( { x 0 �→ - ∗ x 1 �→ p ∗ x 2 �→ q ∗ p �→ y ∗ q �→ z } x 0 := load ( load x 1 ) ; load x 1 := load ( load x 2 ) ; load x 2 := load x 0 ) { x 0 �→ p ∗ x 1 �→ q ∗ p �→ z ∗ q �→ y }
Example { x 0 �→ p ∗ x 1 �→ q ∗ p �→ y ∗ q �→ z } block ( { x 0 �→ - ∗ x 1 �→ p ∗ x 2 �→ q ∗ p �→ y ∗ q �→ z } x 0 := load ( load x 1 ) ; { x 0 �→ y ∗ x 1 �→ p ∗ x 2 �→ q ∗ p �→ y ∗ q �→ z } load x 1 := load ( load x 2 ) ; load x 2 := load x 0 ) { x 0 �→ p ∗ x 1 �→ q ∗ p �→ z ∗ q �→ y }
Example { x 0 �→ p ∗ x 1 �→ q ∗ p �→ y ∗ q �→ z } block ( { x 0 �→ - ∗ x 1 �→ p ∗ x 2 �→ q ∗ p �→ y ∗ q �→ z } x 0 := load ( load x 1 ) ; { x 0 �→ y ∗ x 1 �→ p ∗ x 2 �→ q ∗ p �→ y ∗ q �→ z } load x 1 := load ( load x 2 ) ; { x 0 �→ y ∗ x 1 �→ p ∗ x 2 �→ q ∗ p �→ z ∗ q �→ z } load x 2 := load x 0 ) { x 0 �→ p ∗ x 1 �→ q ∗ p �→ z ∗ q �→ y }
Example { x 0 �→ p ∗ x 1 �→ q ∗ p �→ y ∗ q �→ z } block ( { x 0 �→ - ∗ x 1 �→ p ∗ x 2 �→ q ∗ p �→ y ∗ q �→ z } x 0 := load ( load x 1 ) ; { x 0 �→ y ∗ x 1 �→ p ∗ x 2 �→ q ∗ p �→ y ∗ q �→ z } load x 1 := load ( load x 2 ) ; { x 0 �→ y ∗ x 1 �→ p ∗ x 2 �→ q ∗ p �→ z ∗ q �→ z } load x 2 := load x 0 { x 0 �→ y ∗ x 1 �→ p ∗ x 2 �→ q ∗ p �→ z ∗ q �→ y } ) { x 0 �→ p ∗ x 1 �→ q ∗ p �→ z ∗ q �→ y }
Soundness of the axiomatic semantics ◮ Define ∆; J ; R � { P } s { Q } in terms of operational semantics
Soundness of the axiomatic semantics ◮ Define ∆; J ; R � { P } s { Q } in terms of operational semantics ◮ Prove ∆; J ; R ⊢ { P } s { Q } implies ∆; J ; R � { P } s { Q }
Soundness of the axiomatic semantics ◮ Define ∆; J ; R � { P } s { Q } in terms of operational semantics ◮ Prove ∆; J ; R ⊢ { P } s { Q } implies ∆; J ; R � { P } s { Q } ◮ Tricky definition of ∆; J ; R � { P } s { Q } because ◮ The frame rule ◮ Undefined behavior ◮ Non-local control ◮ Mutual recursion
Formalization in Coq ◮ Extremely useful for debugging
Formalization in Coq ◮ Extremely useful for debugging ◮ Notations close to those on paper
Formalization in Coq ◮ Extremely useful for debugging ◮ Notations close to those on paper ◮ Also supports while and functions with return values
Formalization in Coq ◮ Extremely useful for debugging ◮ Notations close to those on paper ◮ Also supports while and functions with return values ◮ Axiomatic semantics as derived lemmas instead of inference system
Formalization in Coq ◮ Extremely useful for debugging ◮ Notations close to those on paper ◮ Also supports while and functions with return values ◮ Axiomatic semantics as derived lemmas instead of inference system ◮ Uses lots of automation
Recommend
More recommend
