Results 1  10
of
15
The impact of higherorder state and control effects on local relational reasoning
, 2010
"... Reasoning about program equivalence is one of the oldest problems in semantics. In recent years, useful techniques have been developed, based on bisimulations and logical relations, for reasoning about equivalence in the setting of increasingly realistic languages—languages nearly as complex as ML o ..."
Abstract

Cited by 55 (16 self)
 Add to MetaCart
(Show Context)
Reasoning about program equivalence is one of the oldest problems in semantics. In recent years, useful techniques have been developed, based on bisimulations and logical relations, for reasoning about equivalence in the setting of increasingly realistic languages—languages nearly as complex as ML or Haskell. Much of the recent work in this direction has considered the interesting representation independence principles enabled by the use of local state, but it is also important to understand the principles that powerful features like higherorder state and control effects disable. This latter topic has been broached extensively within the framework of game semantics, resulting in what Abramsky dubbed the “semantic cube”: fully abstract gamesemantic characterizations of various axes in the design space of MLlike languages. But when it comes to reasoning about many actual examples, game semantics does not yet supply a useful technique for proving equivalences. In this paper, we marry the aspirations of the semantic cube to the powerful proof method of stepindexed Kripke logical relations. Building on recent work of Ahmed, Dreyer, and Rossberg, we define the first fully abstract logical relation for an MLlike language with recursive types, abstract types, general references and call/cc. We then show how, under orthogonal restrictions to the expressive power of our language—namely, the restriction to firstorder state and/or the removal of call/cc—we can enhance the proving power of our possibleworlds model in correspondingly orthogonal ways, and we demonstrate this proving power on a range of interesting examples. Central to our story is the use of state transition systems to model the way in which properties of local state evolve over time.
Abstract predicates and mutable ADTs in Hoare type theory
 In Proc. ESOP’07, volume 4421 of LNCS
, 2007
"... Hoare Type Theory (HTT) combines a dependently typed, higherorder language with monadicallyencapsulated, stateful computations. The type system incorporates pre and postconditions, in a fashion similar to Hoare and Separation Logic, so that programmers can modularly specify the requirements and e ..."
Abstract

Cited by 50 (21 self)
 Add to MetaCart
(Show Context)
Hoare Type Theory (HTT) combines a dependently typed, higherorder language with monadicallyencapsulated, stateful computations. The type system incorporates pre and postconditions, in a fashion similar to Hoare and Separation Logic, so that programmers can modularly specify the requirements and effects of computations within types. This paper extends HTT with quantification over abstract predicates (i.e., higherorder logic), thus embedding into HTT the Extended Calculus of Constructions. When combined with the Hoarelike specifications, abstract predicates provide a powerful way to define and encapsulate the invariants of private state; that is, state which may be shared by several functions, but is not accessible to their clients. We demonstrate this power by sketching a number of abstract data types and functions that demand ownership of mutable memory, including an idealized custom memory manager. 1
Nested Hoare triples and frame rules for higherorder store
 In Proceedings of the 18th EACSL Annual Conference on Computer Science Logic
, 2009
"... Abstract. Separation logic is a Hoarestyle logic for reasoning about programs with heapallocated mutable data structures. As a step toward extending separation logic to highlevel languages with MLstyle general (higherorder) storage, we investigate the compatibility of nested Hoare triples with ..."
Abstract

Cited by 34 (16 self)
 Add to MetaCart
Abstract. Separation logic is a Hoarestyle logic for reasoning about programs with heapallocated mutable data structures. As a step toward extending separation logic to highlevel languages with MLstyle general (higherorder) storage, we investigate the compatibility of nested Hoare triples with several variations of higherorder frame rules. The interaction of nested triples and frame rules can be subtle, and the inclusion of certain frame rules is in fact unsound. A particular combination of rules can be shown consistent by means of a Kripke model where worlds live in a recursively defined ultrametric space. The resulting logic allows us to elegantly prove programs involving stored code. In particular, it leads to natural specifications and proofs of invariants required for dealing with recursion through the store. Keywords. Higherorder store, Hoare logic, separation logic, semantics. 1
A Relational Modal Logic for HigherOrder Stateful ADTs
"... The method of logical relations is a classic technique for proving the equivalence of higherorder programs that implement the same observable behavior but employ different internal data representations. Although it was originally studied for pure, strongly normalizing languages like System F, it ha ..."
Abstract

Cited by 22 (12 self)
 Add to MetaCart
(Show Context)
The method of logical relations is a classic technique for proving the equivalence of higherorder programs that implement the same observable behavior but employ different internal data representations. Although it was originally studied for pure, strongly normalizing languages like System F, it has been extended over the past two decades to reason about increasingly realistic languages. In particular, Appel and McAllester’s idea of stepindexing has been used recently to develop syntactic Kripke logical relations for MLlike languages that mix functional and imperative forms of data abstraction. However, while stepindexed models are powerful tools, reasoning with them directly is quite painful, as one is forced to engage in tedious stepindex arithmetic to derive even simple results. In this paper, we propose a logic LADR for equational reasoning about higherorder programs in the presence of existential type abstraction, general recursive types, and higherorder mutable state. LADR exhibits a novel synthesis of features from PlotkinAbadi logic, GödelLöb logic, S4 modal logic, and relational separation logic. Our model of LADR is based on Ahmed, Dreyer, and Rossberg’s stateoftheart stepindexed Kripke logical relation, which was designed to facilitate proofs of representation independence for “statedependent ” ADTs. LADR enables one to express such proofs at a much higher level, without counting steps or reasoning about the subtle, stepstratified construction of possible worlds.
Completeness and Logical Full Abstraction in Modal Logics for Typed Mobile Processes
"... Abstract. We study an extension of HennessyMilner logic for the πcalculus which gives a sound and complete characterisation of representative behavioural preorders and equivalences over typed processes. New connectives are introduced representing actual and hypothetical typed parallel composition ..."
Abstract

Cited by 15 (7 self)
 Add to MetaCart
(Show Context)
Abstract. We study an extension of HennessyMilner logic for the πcalculus which gives a sound and complete characterisation of representative behavioural preorders and equivalences over typed processes. New connectives are introduced representing actual and hypothetical typed parallel composition and hiding. We study three compositional proof systems, characterising the May/Must testing preorders and bisimilarity. The proof systems are uniformly applicable to different type disciplines. Logical axioms distill proof rules for parallel composition studied by Amadio and Dam. We demonstrate the expressiveness of our logic embeddings of program logics for higherorder functions. 1
Program Logics for Sequential HigherOrder Control
"... We introduce a Hoare logic for higherorder functional languages with control operators such as callcc. The key idea is to build the assertion language and proof rules on the basis of types that generalise the standard types for control operators (for ’jumpingto’) with dual types (for ’beingjumpe ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
(Show Context)
We introduce a Hoare logic for higherorder functional languages with control operators such as callcc. The key idea is to build the assertion language and proof rules on the basis of types that generalise the standard types for control operators (for ’jumpingto’) with dual types (for ’beingjumpedto’). This enables the assertion language to capture precisely the intensional and extensional effects of jumps by internalising rely/guarantee reasoning, leading to simple proof rules for callbyvalue PCF with callcc and/or nameabstraction. All new operators come with powerful associated axioms. We show that the logic allows specification and reasoning about nontrivial examples of using callcc. The logic matches exactly with the operational semantics of the target language (observational completeness), is relatively complete in Cook’s sense and allows efficient generation of characteristic formulae.
Verifying Generics and Delegates
"... Abstract. Recently, objectoriented languages, such as C ♯ , have been extended with language features prevalent in most functional languages: parametric polymorphism and higherorder functions. In the OO world these are called generics and delegates, respectively. These features allow for greater c ..."
Abstract

Cited by 6 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, objectoriented languages, such as C ♯ , have been extended with language features prevalent in most functional languages: parametric polymorphism and higherorder functions. In the OO world these are called generics and delegates, respectively. These features allow for greater code reuse and reduce the possibilities for runtime errors. However, the combination of these features pushes the language beyond current objectoriented verification techniques. In this paper, we address this by extending a higherorder separation logic with new assertions for reasoning about delegates and variables. We faithfully capture the semantics of C ♯ delegates including their capture of the lvalue of a variable, and that “stack ” variables can live beyond their “scope”. We demonstrate that our logic is sound and illustrate its use by specifying and verifying a series of interesting and challenging examples. 1
Program Logics for Homogeneous MetaProgramming
"... Abstract. A metaprogram is a program that generates or manipulates another program; in homogeneous metaprogramming, a program may generate new parts of, or manipulate, itself. Metaprogramming has been used extensively since macros were introduced to Lisp, yet we have little idea how formally to r ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. A metaprogram is a program that generates or manipulates another program; in homogeneous metaprogramming, a program may generate new parts of, or manipulate, itself. Metaprogramming has been used extensively since macros were introduced to Lisp, yet we have little idea how formally to reason about metaprograms. This paper provides the first program logics for homogeneous metaprogramming – using a variant of MiniML □ e by Davies and Pfenning as underlying metaprogramming language. We show the applicability of our approach by reasoning about example metaprograms from the literature. We also demonstrate that our logics are relatively complete in the sense of Cook, enable the inductive derivation of characteristic formulae, and exactly capture the observational properties induced by the operational semantics. 1
Weak updates and separation logic
"... Separation logic provides a simple but powerful technique for reasoning about lowlevel imperative programs that use shared data structures. Unfortunately, separation logic supports only “strong updates”, in which mutation to a heap location is safe only if a unique reference is owned. This limits t ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Separation logic provides a simple but powerful technique for reasoning about lowlevel imperative programs that use shared data structures. Unfortunately, separation logic supports only “strong updates”, in which mutation to a heap location is safe only if a unique reference is owned. This limits the applicability of separation logic when reasoning about the interaction between many highlevel languages (e.g., ML, Java, C#) and lowlevel ones since the highlevel languages do not support strong updates. Instead, they adopt the discipline of “weak updates”, in which there is a global “heap type ” to enforce the invariant of typepreserving heap updates. We present SL w, a logic that extends separation logic with reference types and elegantly reasons about the interaction between strong and weak updates. We describe a semantic framework for reference types, which is used to prove the soundness of SL w. Finally, we show how to extend SL w with concurrency.
Modal Logics for Typed Mobile Processes
"... Abstract. We propose an extension of HennessyMilner logic for the πcalculus which gives sound and complete characterisation of representative behavioural preorder and equivalence over typed processes. New connectives are introduced representing actual and hypothetical typed parallel composition an ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We propose an extension of HennessyMilner logic for the πcalculus which gives sound and complete characterisation of representative behavioural preorder and equivalence over typed processes. New connectives are introduced representing actual and hypothetical typed parallel composition and hiding. We study two compositional proof systems, characterising the May/Must testing preorders for infinite processes. The mixture of the two proof systems corresponds to bisimilarity. These proof systems are uniformly usable for different type disciplines. Logical axioms for composition originate from the corresponding proof rules studied by the preceding researchers including Amadio and Dam, allowing elimination of new connectives depending on types. We demonstrate how the use of types facilitates highlevel logical reasoning through examples, including