Results 1  10
of
10
Semantics of Types for Mutable State
, 2004
"... Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For in ..."
Abstract

Cited by 55 (5 self)
 Add to MetaCart
Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of lowlevel typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, lowlevel type systems by providing machinecheckable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the operational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references — that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higherorder logic. I also show how to construct an indexed possibleworlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a fullfledged lowlevel typed assembly language. Finally, I present a semantic model for a region calculus that supports typeinvariant references as well as memory reuse. iii
A bisimulation for type abstraction and recursion
 SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES
, 2005
"... We present a bisimulation method for proving the contextual equivalence of packages in λcalculus with full existential and recursive types. Unlike traditional logical relations (either semantic or syntactic), our development is “elementary, ” using only sets and relations and avoiding advanced mach ..."
Abstract

Cited by 46 (4 self)
 Add to MetaCart
We present a bisimulation method for proving the contextual equivalence of packages in λcalculus with full existential and recursive types. Unlike traditional logical relations (either semantic or syntactic), our development is “elementary, ” using only sets and relations and avoiding advanced machinery such as domain theory, admissibility, and ⊤⊤closure. Unlike other bisimulations, ours is complete even for existential types. The key idea is to consider sets of relations—instead of just relations—as bisimulations.
L³: A Linear Language with Locations
 IN SEVENTH INTERNATIONAL CONFERENCE ON TYPED LAMBDA CALCULI AND APPLICATIONS
, 2005
"... We explore foundational typing support for strong updates  updating a memory cell to hold values of unrelated types at different points in time. We present a simple, but expressive type system based upon standard linear logic, one that also enjoys a simple semantic interpretation for types tha ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
We explore foundational typing support for strong updates  updating a memory cell to hold values of unrelated types at different points in time. We present a simple, but expressive type system based upon standard linear logic, one that also enjoys a simple semantic interpretation for types that is closely related to models for spatial logics. The typing
A stepindexed model of substructural state
 In: Proc. International Conference on Functional Programming. (2005) 78–91
, 2005
"... The concept of a “unique ” object arises in many emerging programming languages such as Clean, CQual, Cyclone, TAL, and Vault. In each of these systems, unique objects make it possible to perform operations that would otherwise be prohibited (e.g., deallocating an object) or to ensure that some obli ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
The concept of a “unique ” object arises in many emerging programming languages such as Clean, CQual, Cyclone, TAL, and Vault. In each of these systems, unique objects make it possible to perform operations that would otherwise be prohibited (e.g., deallocating an object) or to ensure that some obligation will be met (e.g., an opened file will be closed). However, different languages provide different interpretations of “uniqueness ” and have different rules regarding how unique objects interact with the rest of the language. Our goal is to establish a common model that supports each of these languages, by allowing us to encode and study the interactions of the different forms of uniqueness. The model we provide is based on a substructural variant of the polymorphic λcalculus, augmented with four kinds of mutable references: unrestricted, relevant, affine, and linear. The language has a natural operational semantics that supports deallocation of references, strong (typevarying) updates, and storage of unique objects in shared references. We establish the strong soundness of the type system by constructing a novel, semantic interpretation of the types.
A theory of indirection via approximation
 IN POPL
, 2010
"... Building semantic models that account for various kinds of indirect reference has traditionally been a difficult problem. Indirect reference can appear in many guises, such as heap pointers, higherorder functions, object references, and sharedmemory mutexes. We give a general method to construct m ..."
Abstract

Cited by 16 (9 self)
 Add to MetaCart
Building semantic models that account for various kinds of indirect reference has traditionally been a difficult problem. Indirect reference can appear in many guises, such as heap pointers, higherorder functions, object references, and sharedmemory mutexes. We give a general method to construct models containing indirect reference by presenting a “theory of indirection”. Our method can be applied in a wide variety of settings and uses only simple, elementary mathematics. In addition to various forms of indirect reference, the resulting models support powerful features such as impredicative quantification and equirecursion; moreover they are compatible with the kind of powerful substructural accounting required to model (higherorder) separation logic. In contrast to previous work, our model is easy to apply to new settings and has a simple axiomatization, which is complete in the sense that all models of it are isomorphic. Our proofs are machinechecked in Coq.
A Complete Characterization of Observational Equivalence in Polymorphic λCalculus with General References
, 2009
"... We give a (sound and complete) characterization of observational equivalence in full polymorphic λcalculus with existential types and firstclass, higherorder references. Our method is syntactic and elementary in the sense that it only employs simple structures such as relations on terms. It is ne ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
We give a (sound and complete) characterization of observational equivalence in full polymorphic λcalculus with existential types and firstclass, higherorder references. Our method is syntactic and elementary in the sense that it only employs simple structures such as relations on terms. It is nevertheless powerful enough to prove many interesting equivalences that can and cannot be proved by previous approaches, including the latest work by Ahmed, Dreyer and Rossberg (to appear in POPL 2009). 1.
Verified Software Toolchain
, 2011
"... The software toolchain includes static analyzers to check assertions about programs; optimizing compilers to translate programs to machine language; operating systems and libraries to supply context for programs. Our Verified Software Toolchain verifies with machinechecked proofs that the asserti ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
The software toolchain includes static analyzers to check assertions about programs; optimizing compilers to translate programs to machine language; operating systems and libraries to supply context for programs. Our Verified Software Toolchain verifies with machinechecked proofs that the assertions claimed at the top of the toolchain really hold in the machinelanguage program, running in the operatingsystem context, on a weaklyconsistentsharedmemory machine. Our verification approach is modular, in that proofs about operating systems or concurrency libraries are oblivious of the programming language or machine language, proofs about compilers are oblivious of the program logic used to verify static analyzers, and so on. The approach is scalable, in that each component is verified in the semantic idiom most natural for that component. Finally, the verification is foundational: the trusted base for proofs of observable properties of the machinelanguage program includes only the operational semantics of the machine language, not the source language, the compiler, the program logic, or any other part of the toolchain—even when these proofs are
Semantic foundations for typed assembly languages
 Prog. Languages and Systems (TOPLAS
, 2008
"... Typed Assembly Languages (TALs) are used to validate the safety of machinelanguage programs. The Foundational ProofCarrying Code project seeks to verify the soundness of TALs using the smallest possible set of axioms—the axioms of a suitably expressive logic plus a specification of machine semanti ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
Typed Assembly Languages (TALs) are used to validate the safety of machinelanguage programs. The Foundational ProofCarrying Code project seeks to verify the soundness of TALs using the smallest possible set of axioms—the axioms of a suitably expressive logic plus a specification of machine semantics. This paper proposes general semantic foundations that permit modular proofs of the soundness of TALs. These semantic foundations include Typed Machine Language (TML), a type theory for specifying properties of lowlevel data with powerful and orthogonal type constructors, and Lc, a compositional logic for specifying properties of machine instructions with simplified reasoning about unstructured control flow. Both of these components, whose semantics we specify using higherorder logic, are useful for proving the soundness of TALs. We demonstrate this by using TML and Lc to verify the soundness of a lowlevel, typed assembly language, LTAL, which is the target of our coreMLtosparc compiler. To prove the soundness of the TML type system we have successfully applied a new approach, that of stepindexed logical relations. This approach provides the first semantic model for a type system with updatable references to values of impredicative quantified types. Both impredicative polymorphism and mutable references are essential when representing function closures in compilers with typed closure conversion, or when compiling objects to simpler typed primitives.
A Stepindexed Semantics of Imperative Objects
"... Stepindexed semantic models of types were proposed as an alternative to purely syntactic proofs of type safety using subject reduction. Building on work by Ahmed, Appel and others, we introduce a stepindexed model for the imperative object calculus of Abadi and Cardelli. Providing a semantic accou ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Stepindexed semantic models of types were proposed as an alternative to purely syntactic proofs of type safety using subject reduction. Building on work by Ahmed, Appel and others, we introduce a stepindexed model for the imperative object calculus of Abadi and Cardelli. Providing a semantic account of this calculus using more ‘traditional’, domaintheoretic approaches has proved challenging due to the combination of dynamically allocated objects, higherorder store, and an expressive type system. Here we show that the stepindexed model can interpret a rich type discipline with object types, subtyping, recursive and bounded quantified types in the presence of state.
Constructing Hereditary Worlds Within Worlds
"... Abstract. Although they appear unrelated, the type system of the polymorphic λcalculus with references and the assertions of concurrent separation logic with firstclass locks share a critical feature: an unsound contravariant circularity in their naïve semantic model. We developed indirection theo ..."
Abstract
 Add to MetaCart
Abstract. Although they appear unrelated, the type system of the polymorphic λcalculus with references and the assertions of concurrent separation logic with firstclass locks share a critical feature: an unsound contravariant circularity in their naïve semantic model. We developed indirection theory to automatically construct, and cleanly axiomatize, stepindexed approximations to these naïve models, as well as a large number of others [HDA10b]. Unfortunately, the previous axiomatization had a flaw. One is usually only interested in using hereditary predicates: those which are closed under the action of approximation. As previously presented, indirection theory allows nonhereditary predicates to exist in certain parts of the construction. Although not fatal, this flaw requires workarounds that are not entirely obvious to the uninitiated. We correct this flaw by presenting a new axiomatization of indirection theory that only permits heredity predicates and show that the new interface is sound by constructing a model. The new axiomatization is somewhat more subtle than the previous one, but it retains the same flavor, cleanliness, and metatheoretic properties. In contrast, the new construction is markedly more complex, especially in a mechanized context. Indeed, our Coq mechanization is one of our key contributions, and accordingly we present it in considerable detail. 1