Results 1  10
of
31
Constructive Design of a Hierarchy of Semantics of a Transition System by Abstract Interpretation
, 2002
"... We construct a hierarchy of semantics by successive abstract interpretations. Starting from the maximal trace semantics of a transition system, we derive the bigstep semantics, termination and nontermination semantics, Plotkin’s natural, Smyth’s demoniac and Hoare’s angelic relational semantics and ..."
Abstract

Cited by 99 (18 self)
 Add to MetaCart
We construct a hierarchy of semantics by successive abstract interpretations. Starting from the maximal trace semantics of a transition system, we derive the bigstep semantics, termination and nontermination semantics, Plotkin’s natural, Smyth’s demoniac and Hoare’s angelic relational semantics and equivalent nondeterministic denotational semantics (with alternative powerdomains to the EgliMilner and Smyth constructions), D. Scott’s deterministic denotational semantics, the generalized and Dijkstra’s conservative/liberal predicate transformer semantics, the generalized/total and Hoare’s partial correctness axiomatic semantics and the corresponding proof methods. All the semantics are presented in a uniform fixpoint form and the correspondences between these semantics are established through composable Galois connections, each semantics being formally calculated by abstract interpretation of a more concrete one using Kleene and/or Tarski
Semantics of Types for Mutable State
, 2004
"... Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For in ..."
Abstract

Cited by 55 (5 self)
 Add to MetaCart
Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of lowlevel typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, lowlevel type systems by providing machinecheckable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the operational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references — that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higherorder logic. I also show how to construct an indexed possibleworlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a fullfledged lowlevel typed assembly language. Finally, I present a semantic model for a region calculus that supports typeinvariant references as well as memory reuse. iii
Improvement in a Lazy Context: An Operational Theory for CallByNeed
 Proc. POPL'99, ACM
, 1999
"... Machine The semantics presented in this section is essentially Sestoft's \mark 1" abstract machine for laziness [Sestoft 1997]. In that paper, he proves his abstract machine 6 A. K. Moran and D. Sands h fx = Mg; x; S i ! h ; M; #x : S i (Lookup) h ; V; #x : S i ! h fx = V g; V; S i (Update) h ; ..."
Abstract

Cited by 41 (7 self)
 Add to MetaCart
Machine The semantics presented in this section is essentially Sestoft's \mark 1" abstract machine for laziness [Sestoft 1997]. In that paper, he proves his abstract machine 6 A. K. Moran and D. Sands h fx = Mg; x; S i ! h ; M; #x : S i (Lookup) h ; V; #x : S i ! h fx = V g; V; S i (Update) h ; M x; S i ! h ; M; x : S i (Unwind) h ; x:M; y : S i ! h ; M [ y = x ]; S i (Subst) h ; case M of alts ; S i ! h ; M; alts : S i (Case) h ; c j ~y; fc i ~x i N i g : S i ! h ; N j [ ~y = ~x j ]; S i (Branch) h ; let f~x = ~ Mg in N; S i ! h f~x = ~ Mg; N; S i ~x dom(;S) (Letrec) Fig. 1. The abstract machine semantics for callbyneed. semantics sound and complete with respect to Launchbury's natural semantics, and we will not repeat those proofs here. Transitions are over congurations consisting of a heap, containing bindings, the expression currently being evaluated, and a stack. The heap is a partial function from variables to terms, and denoted in an identical manner to a coll...
On a monadic semantics for freshness
 THEORETICAL COMPUTER SCIENCE
, 2005
"... A standard monad of continuations, when constructed with domains in the world of FMsets [4], is shown to provide a model of dynamic allocation of fresh names that is both simple and useful. In particular, it is used to prove that the powerful facilities for manipulating fresh names and binding oper ..."
Abstract

Cited by 26 (7 self)
 Add to MetaCart
A standard monad of continuations, when constructed with domains in the world of FMsets [4], is shown to provide a model of dynamic allocation of fresh names that is both simple and useful. In particular, it is used to prove that the powerful facilities for manipulating fresh names and binding operations provided by the “Fresh ” series of metalanguages [15,17,18] respect αequivalence of objectlevel languages up to metalevel contextual equivalence.
CallByPushValue: A Subsuming Paradigm
 in Proc. TLCA ’99
, 1999
"... . Callbypushvalue is a new paradigm that subsumes the callbyname and callbyvalue paradigms, in the following sense: both operational and denotational semantics for those paradigms can be seen as arising, via translations that we will provide, from similar semantics for callbypushvalue. To ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
. Callbypushvalue is a new paradigm that subsumes the callbyname and callbyvalue paradigms, in the following sense: both operational and denotational semantics for those paradigms can be seen as arising, via translations that we will provide, from similar semantics for callbypushvalue. To explain callbypushvalue, we first discuss general operational ideas, especially the distinction between values and computations, using the principle that "a value is, a computation does". Using an example program, we see that the lambdacalculus primitives can be understood as push/pop commands for an operandstack. We provide operational and denotational semantics for a range of computational effects and show their agreement. We hence obtain semantics for callbyname and callbyvalue, of which some are familiar, some are new and some were known but previously appeared mysterious. 1 Introduction 1.1 Contribution In his invited lecture at POPL '98 [32], Reynolds, surveying over 30 year...
Observational equivalence of 3rdorder Idealized Algol is decidable
 In Proceedings of LICS’02. IEEE
, 2002
"... We prove that observational equivalence of 3rdorder finitary Idealized Algol (IA) is decidable using Game Semantics. By modelling state explicitly in our games, we show that the denotation of a term M of this fragment of IA (built up from finite base types) is a compactly innocent strategywithst ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
We prove that observational equivalence of 3rdorder finitary Idealized Algol (IA) is decidable using Game Semantics. By modelling state explicitly in our games, we show that the denotation of a term M of this fragment of IA (built up from finite base types) is a compactly innocent strategywithstate i.e. the strategy is generated by a finite view function fM . Given any such fM , we construct a realtime deterministic pushdown automata (DPDA) that recognizes the complete plays of the knowingstrategy denotation of M . Since such plays characterize observational equivalence, and there is an algorithm for deciding whether any two DPDAs recognize the same language, we obtain a procedure for deciding observational equivalence of 3rdorder finitary IA. This algorithmic representation of program meanings, which is compositional, provides a foundation for modelchecking a wide range of behavioural properties of IA and other cognate programming languages. Another result concerns 2ndorder IA with recursion: we show that observational equivalence for this fragment is undecidable. 1
Operational domain theory and topology of a sequential language
 In Proceedings of the 20th Annual IEEE Symposium on Logic In Computer Science
, 2005
"... A number of authors have exported domaintheoretic techniques from denotational semantics to the operational study of contextual equivalence and order. We further develop this, and, moreover, we additionally export topological techniques. In particular, we work with an operational notion of compact ..."
Abstract

Cited by 10 (6 self)
 Add to MetaCart
A number of authors have exported domaintheoretic techniques from denotational semantics to the operational study of contextual equivalence and order. We further develop this, and, moreover, we additionally export topological techniques. In particular, we work with an operational notion of compact set and show that total programs with values on certain types are uniformly continuous on compact sets of total elements. We apply this and other conclusions to prove the correctness of nontrivial programs that manipulate infinite data. What is interesting is that the development applies to sequential programming languages, in addition to languages with parallel features. 1
Semantic foundations for typed assembly languages
 Prog. Languages and Systems (TOPLAS
, 2008
"... Typed Assembly Languages (TALs) are used to validate the safety of machinelanguage programs. The Foundational ProofCarrying Code project seeks to verify the soundness of TALs using the smallest possible set of axioms—the axioms of a suitably expressive logic plus a specification of machine semanti ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
Typed Assembly Languages (TALs) are used to validate the safety of machinelanguage programs. The Foundational ProofCarrying Code project seeks to verify the soundness of TALs using the smallest possible set of axioms—the axioms of a suitably expressive logic plus a specification of machine semantics. This paper proposes general semantic foundations that permit modular proofs of the soundness of TALs. These semantic foundations include Typed Machine Language (TML), a type theory for specifying properties of lowlevel data with powerful and orthogonal type constructors, and Lc, a compositional logic for specifying properties of machine instructions with simplified reasoning about unstructured control flow. Both of these components, whose semantics we specify using higherorder logic, are useful for proving the soundness of TALs. We demonstrate this by using TML and Lc to verify the soundness of a lowlevel, typed assembly language, LTAL, which is the target of our coreMLtosparc compiler. To prove the soundness of the TML type system we have successfully applied a new approach, that of stepindexed logical relations. This approach provides the first semantic model for a type system with updatable references to values of impredicative quantified types. Both impredicative polymorphism and mutable references are essential when representing function closures in compilers with typed closure conversion, or when compiling objects to simpler typed primitives.
Programming With Private State
, 2001
"... In a purelyfunctional language, reasoning about program equivalence is rather straightforward. However, the inclusion of states and references can complicate such reasoning. The problem is that expressions have the ability to alter the state, and therefore depend on the state for their values. Cons ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
In a purelyfunctional language, reasoning about program equivalence is rather straightforward. However, the inclusion of states and references can complicate such reasoning. The problem is that expressions have the ability to alter the state, and therefore depend on the state for their values. Consequently, we must resort to a notion of contextual equivalence, where equivalence depends on two expressions having the same value no matter what the complete program in which they appear. We consider privatizing state to functions by adding a new function declaration to ML. If the use of references in the state is limited, proving equivalence may not need to go as far as contextual equivalence. We present the operational semantics and type system for the language, as well as a type soundness proof. Finally, we present some examples in the language, as well as its encoding in the Elf programming language.
An approach to deciding observational equivalence of Algollike languages
 Annals of Pure and Applied Logic
"... We prove that observational equivalence of thirdorder nitary (i.e. recursionfree) Idealized Algol (IA) is decidable using Game Semantics. By modelling state explicitly in our games, we show that the denotation of a term M of this fragment of IA is a compactly innocent strategywithstate i.e. the ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
We prove that observational equivalence of thirdorder nitary (i.e. recursionfree) Idealized Algol (IA) is decidable using Game Semantics. By modelling state explicitly in our games, we show that the denotation of a term M of this fragment of IA is a compactly innocent strategywithstate i.e. the strategy is generated by a nite view function f M . Given any such f M , we construct a realtime deterministic pushdown automaton (DPDA) that recognizes the complete plays of the knowingstrategy denotation of M . Since such plays characterize observational equivalence, and there is an algorithm for deciding whether any two DPDAs recognize the same language, we obtain a procedure for deciding observational equivalence of thirdorder nitary IA. Restricted to secondorder terms, the DPDA representation cuts down to a deterministic nite automaton; thus our approach gives a new proof of Ghica and McCusker's regularexpression characterization for this fragment. Our algorithmic representation of program meanings, which is compositional, provides a foundation for modelchecking a wide range of behavioural properties of IA and other cognate programming languages. Another result concerns secondorder IA with full recursion: we show that observational equivalence for this fragment is undecidable. Key words: Algorithmic Game Semantics, Algollike Languages, Automata Theory, Software Model Checking.