## Local state in hoare logic for imperative higher-order functions (2007)

Venue: | in Appendix A.1. [A [Abs] -x ∧C]M :m [C ′ ] [A]λx.M :u [∀x.[C] u • x = m [C ′ ]] [Deref ] − [C[!x/u]]!x :u [C] [App] [C]M :m [C0] [C0]N :n [C1 ∧ [C1] m • n = u [C ′ ]] [C]MN :u [C ′ ] [Assign] [C]M :m [C ′ [m/!x][()/u]] [C]x := M :u [C ′ ] [Conseq-Kleyman |

Citations: | 3 - 1 self |

### BibTeX

@INPROCEEDINGS{Yoshida07localstate,

author = {Nobuko Yoshida and Kohei Honda and Martin Berger},

title = {Local state in hoare logic for imperative higher-order functions},

booktitle = {in Appendix A.1. [A [Abs] -x ∧C]M :m [C ′ ] [A]λx.M :u [∀x.[C] u • x = m [C ′ ]] [Deref ] − [C[!x/u]]!x :u [C] [App] [C]M :m [C0] [C0]N :n [C1 ∧ [C1] m • n = u [C ′ ]] [C]MN :u [C ′ ] [Assign] [C]M :m [C ′ [m/!x][()/u]] [C]x := M :u [C ′ ] [Conseq-Kleyman},

year = {2007},

publisher = {Spring}

}

### OpenURL

### Abstract

Abstract. We introduce an extension of Hoare logic for imperative higher-order functions with local state. Local state may be generated dynamically and exported outside its scope, may store higher-order functions, and may be used to construct complex shared mutable data structures. The induced behaviour is captured with a first order predicate which asserts reachability of reference names. The logic enjoys a strong match with the semantics of programs, in the sense that valid assertions characterise the standard contextual congruence. We explore the logic’s descriptive and reasoning power with nontrivial programming examples manipulating dynamically generated local state. Axioms for reachability play a central role for reasoning about the examples.

### Citations

1562 | The Definition of Standard ML
- Miller, Tofte, et al.
- 1990
(Show Context)
Citation Context ...t logic leads to a very different model of assertions and judgement, as we have seen in Section 4. Development Framework. The present work proposes a compositional program logic for a core part of ML =-=[2, 26]-=-. Extended ML [38] is a formal development framework for Standard ML. A specification is given by combining a module’ signature and algebraic axioms on them. Correctness of an implementation w.r.t. a ... |

1360 | An axiomatic basis for computer programming
- Hoare
- 1973
(Show Context)
Citation Context ...6. 22 wus5 Judgement and Proof Rules 5.1 Judgement and its Semantics This section introduces judgements and basic proof rules. A judgement consists of a program and a pair of formulae following Hoare =-=[14]-=-, augmented with a fresh name called anchor [17–19]. {C} M Γ;Δ;α :u {C ′ }. which intuitively says: If we evaluate M in the initial state satisfying C, then it terminates with a value, name it u, and ... |

891 | A Theory of Objects - Abadi, Cardelli - 1996 |

705 | Separation logic: a logic for shared mutable data structures
- Reynolds
(Show Context)
Citation Context ...ees (m1 ⋆m2) where the top is also unreachable from the subtrees (u#mi). τ in tree τ (x) is an S-expression, such as ((1,2),3), which uniquely determines the shape of a tree. Its use follows Reynolds =-=[37]-=- and is often convenient. We include Sexpressions among standard terms in our logical language. For reference, the grammar is given as: τ ::= x | e Nat | (τ1,τ2). Symbols τ,τ ′ ,... are also used as v... |

704 |
Types and Programming Languages
- Pierce
- 2002
(Show Context)
Citation Context ...dden from the outside, enhancing modularity through localisation of read/write effects. Consider the following program: Inc def = let x = ref(0) in λ().(x :=!x + 1; !x) (1.1) We use standard notation =-=[31]-=-: in particular, ref(M) returns a fresh reference whose content is the value M evaluates to. !x is dereferencing of an imperative variable x. When the anonymous function in Inc is invoked, it incremen... |

587 | From system F to typed assembly language
- Morrisett, Walker, et al.
- 1999
(Show Context)
Citation Context ...gical status and their practical use combined with existing tools [7] would be an interesting future research topic. Several recent proposals of safe low-level languages are inspired by ML, including =-=[11, 27, 39]-=-. Since higher-order functions and local state are their central elements, it is interesting to extend the present logic to these languages. Another related interest is validation of library functions... |

352 | Simplify: A theorem prover for program checking
- Detlefs, Nelson, et al.
- 2003
(Show Context)
Citation Context ... those involving fresh names and reachability predicate are discussed in the present paper. A further study on axiom systems, their logical status and their practical use combined with existing tools =-=[7]-=- would be an interesting future research topic. Several recent proposals of safe low-level languages are inspired by ML, including [11, 27, 39]. Since higher-order functions and local state are their ... |

304 |
Introduction to Mathematical Logic
- Mendelson
- 1987
(Show Context)
Citation Context ... actions with side effects. Using typed terms is not strictly necessary but contributes to clarity and understandability. The logical language uses the standard logical connectives and quantification =-=[23]-=-. We include, following [3, 18], quantifications over type variables (X, Y,...). We also use truth T (definable as 1 = 1) and falsity F (which is ¬T). x �= y stands for ¬(x = y). The remaining formula... |

239 |
The Formal Semantics of Programming Languages
- Winskel
- 1993
(Show Context)
Citation Context ...,W〉 | inj α+β i (V ) M,N ::= V | MN | M := N | ref(M) | !M | op( ˜M) | πi(M) | 〈M,N〉 | inj α+β | i (V ) if M then M1 else M2 | case M of {inji (x αi i ).Mi} i∈{1,2} Above we use the standard notation =-=[12, 31, 43]-=-. The binding is induced in the standard way. Programs are considered up to the corresponding α-equality. The language is identical with the one used in [3], except for the inclusion of a construct fo... |

189 | A calculus of mobile processes, parts
- Milner, Parrow, et al.
- 1992
(Show Context)
Citation Context ... consider a family of logical equivalences paramterised by arbitrary aliasing situations. A simple tool for doing so, introduced in [3], is distinction, originating in the semantics of the π-calculus =-=[26]-=-. Definition 2.9 (distinction and identicals) 1. A distinction over ∆, ranged over by D,D ′ ,..., is a type-respecting equivalence over dom(∆). The equivalence classes of a distinction are called iden... |

170 | Region-based memory management in Cyclone - Grossman, Morrisett, et al. - 2001 |

162 | Separation and information hiding
- O’Hearn, Yang, et al.
- 2004
(Show Context)
Citation Context ...ework compares and interacts with the reasoning method based on separating connectives by Reynolds, O’Hearn, Bornat and others taking concrete examples. Separation Logic. Reynolds, O’Hearn and others =-=[5, 30, 37]-=- propose, and experiment with, separating conjunction for Hoare logics of aliasing and dynamically generated data structures. As Reynolds shows [37], their conjunction is effective when data structure... |

162 | Nominal Logic, A first order theory of names and binding
- Pitts
(Show Context)
Citation Context ...t dynamically allocated data structures we studied in Section 7. Logics for Fresh Names. Freshness of names is recently studied from the viewpoint of formalising binding relations by Pitts and Gabbay =-=[9, 34]-=-; and Miller and Tiu [25]. In the work by Pitts and Gabbay, First-Order Logic is extended with constructs to reason about freshness of names based on the theory of permutations. The key syntactic addi... |

145 | A new approach to abstract syntax involving binders
- Gabbay, Pitts
- 1999
(Show Context)
Citation Context ...oted by e1. As an example, if x denotes a starting point of a linked list, x ↩→ y says a reference y occurs in one of the cells reachable from x. In assertions, we often use its negation, written y#x =-=[9, 35]-=-, which says one can never reach a reference y starting from x. Later we make precise its semantics and discuss methods for deriving this relation through syntactic axioms. Note that e does not contai... |

144 |
Semantics of programming languages
- Gunter
- 1992
(Show Context)
Citation Context ...egated to Appendix. 3s2 A Programming Language 2.1 Syntax and Reduction As our target programming language, we use call-by-value PCF with unit, sums and products, augmented with imperative constructs =-=[12, 31]-=-. Let x,y,... range over an infinite set of variables, often called names. Then types (α,β,...), values (V,W,...) and programs (M,N,...) are given by the following grammar. α,β ::= X | Unit | Bool | N... |

125 |
A correspondence between ALGOL 60 and Church's lambdanotation
- Landin
- 1965
(Show Context)
Citation Context .... A further example demonstrates the power of combining stored functions and local references. We consider a factorial program which realises a recursion by circular references, an idea due to Landin =-=[21]-=-. circFact def = x := λz.if z = 0 then 1 else z × (!x)(z − 1) This program calculates the factorial of n. But since x is still free in circFact, if a program reads from x and stores it in another vari... |

119 | Comparing Object Encodings - Bruce, Cardelli, et al. - 1999 |

110 | Operational reasoning in functions with local state
- Pitts, Stark
- 1998
(Show Context)
Citation Context ...ploited for modular programming. But this distance also causes difficulties in reasoning, since it makes correspondence between programs’ syntactic structures and their behaviours subtle to establish =-=[20, 24, 32, 33]-=-. Program Logic and Local State. This paper proposes a simple extension of Hoare logic for treating higher-order imperative programs with local state. Hoare logic has been highly successful in softwar... |

102 | Parametricity and local variables - O’Hearn, Tennent - 2008 |

99 |
Toward fully abstract semantics for local variables
- Meyer, Sieber
- 1988
(Show Context)
Citation Context ...ploited for modular programming. But this distance also causes difficulties in reasoning, since it makes correspondence between programs’ syntactic structures and their behaviours subtle to establish =-=[20, 24, 32, 33]-=-. Program Logic and Local State. This paper proposes a simple extension of Hoare logic for treating higher-order imperative programs with local state. Hoare logic has been highly successful in softwar... |

89 | An overview of the FLINT/ML compiler
- Shao
- 1997
(Show Context)
Citation Context ...gical status and their practical use combined with existing tools [7] would be an interesting future research topic. Several recent proposals of safe low-level languages are inspired by ML, including =-=[11, 27, 39]-=-. Since higher-order functions and local state are their central elements, it is interesting to extend the present logic to these languages. Another related interest is validation of library functions... |

76 |
Theories of Programming Languages
- Reynolds
- 1998
(Show Context)
Citation Context ... ref(M), behaves as: First M of type α is evaluated and becomes a value V ; then a fresh local reference l of type Ref(α) with initial content V is generated. Then another form of new name generation =-=[24, 36]-=-, new x := M in N, behaves as follows: First, M of type α is evaluated; Then, assuming it terminates and becomes a value V , it generates a fresh local reference of type Ref(α) with initial content V ... |

74 |
Some techniques for proving correctness of programs which alter data structures
- Burstall
- 1972
(Show Context)
Citation Context ... we have w ↩→ x, which contradicts x#w. Axiom 2 (1) is trivial by fv(σ(x)) = /0. Axiom 2 (2) is by Lemma 4.23 (4), while Axiom 2 (3) is by definition of the name closure. Axiom 2 (4) is by Lemma 4.23 =-=(6)-=-. Axiom 2 (5) is by Lemma 4.23 (2) and (3). The proof of Axiom 3 (1,2) are subsumed by that of Axiom 3 (2) below. Axiom 3 (2) is proved by Proposition 4.24 and the definition of the model of the evalu... |

70 |
Notes on data structuring
- Hoare
- 1972
(Show Context)
Citation Context ... Reachability Predicate and Logics for Dynamic Data Structures. Assertion-based reasoning methods for dynamically generated mutable data structures have been studied from early days of program logics =-=[15]-=-, cf. [3, §10]. Nelson would be the first to use a notion of reachability in this context [28], for reasoning about linearly linked lists via predicate transformers. His predicate is tailored for this... |

66 | F.;Nipkow, T.: Proving Pointer Programs in Higher-Order Logic
- Mehta
- 2005
(Show Context)
Citation Context ...recisely relates their reasoning method to our logic, suggesting a rich technical interplay. Higher-Order Logic. Several recent works present mechanisation of Hoare logics in higher-order logics, cf. =-=[8, 22, 29, 41]-=-. While these works do discuss some aspects of local state such as pointer-based data structures, they do not (aim to) offer a direct logical treatment of either ML-like general references or their co... |

60 | A proof theory for generic judgments
- Miller, Tiu
- 2005
(Show Context)
Citation Context ... structures we studied in Section 7. Logics for Fresh Names. Freshness of names is recently studied from the viewpoint of formalising binding relations by Pitts and Gabbay [9, 34]; and Miller and Tiu =-=[25]-=-. In the work by Pitts and Gabbay, First-Order Logic is extended with constructs to reason about freshness of names based on the theory of permutations. The key syntactic additions are the (interdefin... |

58 | Semantics of separation-logic typing and higher-order frame rules
- Birkedal, Torp-Smith, et al.
- 2005
(Show Context)
Citation Context ...der functions and general data types such as products, sums and polymorphism. Results similar to observational completeness may not have been reported for their logics. Recent work by Birkedal et al. =-=[4]-=- presents a type system for Algol whose types are constructed from formulae of Separation Logic and whose typing is performed by 77slogical entailment, formalised by categorical semantics. Their type ... |

55 |
Names and Higher-Order Functions
- Stark
- 1994
(Show Context)
Citation Context ...ility involving general data types as well as higher-order functions are introduced and are shown to be effective for reasoning about programming examples which are known to be hard in the literature =-=[24, 32, 33, 40]-=- 8.2 Related Work. Below we discuss related works, mainly focussing on local state and freshness. Comparisons w.r.t. other elements (e.g. higher-order functions, aliasing, polymorphism) are relegated ... |

53 |
Verifying reachability invariants of linked structures
- Nelson
- 1983
(Show Context)
Citation Context ...ods for dynamically generated mutable data structures have been studied from early days of program logics [15], cf. [3, §10]. Nelson would be the first to use a notion of reachability in this context =-=[28]-=-, for reasoning about linearly linked lists via predicate transformers. His predicate is tailored for this particular data structure, and can be represented by the first-order part of our reachability... |

52 | Verification of non-functional programs using interpretations in type theory
- Filliâtre
- 2003
(Show Context)
Citation Context ...recisely relates their reasoning method to our logic, suggesting a rich technical interplay. Higher-Order Logic. Several recent works present mechanisation of Hoare logics in higher-order logics, cf. =-=[8, 22, 29, 41]-=-. While these works do discuss some aspects of local state such as pointer-based data structures, they do not (aim to) offer a direct logical treatment of either ML-like general references or their co... |

52 |
Certified assembly programming with embedded code pointers
- Ni, Shao
- 2006
(Show Context)
Citation Context ...recisely relates their reasoning method to our logic, suggesting a rich technical interplay. Higher-Order Logic. Several recent works present mechanisation of Hoare logics in higher-order logics, cf. =-=[8, 22, 29, 41]-=-. While these works do discuss some aspects of local state such as pointer-based data structures, they do not (aim to) offer a direct logical treatment of either ML-like general references or their co... |

48 |
Idealized Algol and its specification logic
- Reynolds
- 1982
(Show Context)
Citation Context ...oted by e1. As an example, if x denotes a starting point of a linked list, x ↩→ y says a reference y occurs in one of the cells reachable from x. In assertions, we often use its negation, written y#x =-=[9, 35]-=-, which says one can never reach a reference y starting from x. Later we make precise its semantics and discuss methods for deriving this relation through syntactic axioms. Note that e does not contai... |

46 |
Small bisimulations for reasoning about higher-order imperative programs
- Koutavas, Wand
- 2006
(Show Context)
Citation Context ...nce and Completeness. Stark and Pitts [32, 33, 40] develop powerful reasoning principles for behavioural equivalences on higher-order functions using operationally based techniques. Koutavas and Wand =-=[20]-=- recently showed a fully abstract bisimulation technique for the untyped version of the language treated in the present work, and applied the techniques to several non-trivial reasoning examples. Thou... |

39 | An observationally complete program logic for imperative higher-order frame rules
- Honda, Yoshida, et al.
- 2005
(Show Context)
Citation Context ...3 Assertions for Local State 3.1 A Logical Language The logical language we shall use is that of standard first-order logic with equality [23, § 2.8], extended with assertions for stateful evaluation =-=[18, 19]-=- (for imperative higherorder functions) and quantifications over store content [3] (for aliasing). On this basis we add a first-order predicate which asserts reachability of a reference name from a da... |

35 | A spatial logic for concurrency - Cardelli, Caires - 2001 |

35 | Semantics of local variables - O’Hearn, Tennent - 1992 |

32 | Reasoning about local variables with operationally-based logical relations. LICS
- Pitts
- 1996
(Show Context)
Citation Context ...ility involving general data types as well as higher-order functions are introduced and are shown to be effective for reasoning about programming examples which are known to be hard in the literature =-=[24, 32, 33, 40]-=- 8.2 Related Work. Below we discuss related works, mainly focussing on local state and freshness. Comparisons w.r.t. other elements (e.g. higher-order functions, aliasing, polymorphism) are relegated ... |

27 | Local reasoning, separation and aliasing
- Bornat, Calcagno, et al.
- 2004
(Show Context)
Citation Context ...es scale to more complex data structures. We treat directed acyclic graphs, or dags, which allow more sharing than trees. This example is treated as one of the benchmark examples by Bornat and others =-=[5]-=-. A dag has the same type as Tree, but its specification is more liberal. Again using S-expressions, dag τ (x) asserts x is a dag whose leaves are labelled as τ. The base case dag n (x) is the same as... |

26 | A compositional logic for polymorphic higher-order functions
- Honda, Yoshida
- 2004
(Show Context)
Citation Context ...3 Assertions for Local State 3.1 A Logical Language The logical language we shall use is that of standard first-order logic with equality [23, § 2.8], extended with assertions for stateful evaluation =-=[18, 19]-=- (for imperative higherorder functions) and quantifications over store content [3] (for aliasing). On this basis we add a first-order predicate which asserts reachability of a reference name from a da... |

18 |
From process logic to program logic
- Honda
- 2004
(Show Context)
Citation Context ... to reach desired judgement in the present logic (cf. § 7) demand syntactic axioms which go much beyond number theory: some of the useful axioms for higher-order functions and aliasing are studied in =-=[3, 17, 19]-=-, while those involving fresh names and reachability predicate are discussed in the present paper. A further study on axiom systems, their logical status and their practical use combined with existing... |

14 | Hoare logic for mutual recursion and local variables
- Oheimb
(Show Context)
Citation Context |

13 | Thoughts on a Larch/ML and a new application for LP
- Wing, Rollins, et al.
- 1993
(Show Context)
Citation Context ...fication is given by combining a module’ signature and algebraic axioms on them. Correctness of an implementation w.r.t. a specification is verified by incremental syntactic transformations. Larch/ML =-=[42]-=- is a design proposal of a Larchbased interface language for ML. Integration of typing and interface specification is the main focus of the proposal in [42]. These two works do not (aim to) offer a pr... |

9 |
A logical analysis of aliasing for higherorder imperative functions
- Berger, Honda, et al.
- 2007
(Show Context)
Citation Context ...Above we use the standard notation [12, 31, 43]. The binding is induced in the standard way. Programs are considered up to the corresponding α-equality. The language is identical with the one used in =-=[3]-=-, except for the inclusion of a construct for reference generation. Constants (c,c ′ ,...) include the unit (), natural numbers n, booleans b (either truth t or false f), and locations (l,l ′ ,...). L... |

5 |
Specifying the Semantics of while Programs: A Tutorial and Critique of a Paper by Hoare and Lauer
- Greif, Meyer
- 1981
(Show Context)
Citation Context ...link with standard observational semantics in that assertions distinguish programs’ behaviour just as the 2scontextual behavioural equivalence does. As already stressed in the context of Hoare logics =-=[10, 16]-=-, this property, observational completeness, is important when, for example, we wish to use compositional program logics together with other mathematical tools based on a firm semantic basis. On the b... |

5 |
Axiomatic semantics of Pascal
- Hoare, Wirth
- 1979
(Show Context)
Citation Context ...ules, starting from the conclusion to find the premise (“backward reasoning”). Note also [NewVar] is essentially identical with the original proof rule for new variable declaration by Hoare and Wirth =-=[13]-=- except adding the condition for unreacability. In Section 2, we discussed interplay between freshness and locality. In particular, we asked how ref(M), combined with let, can commute with new x := M ... |

3 |
Andrzej Tarlecki. Program specification and development in standard ML
- Sannella
- 1985
(Show Context)
Citation Context ...ry different model of assertions and judgement, as we have seen in Section 4. Development Framework. The present work proposes a compositional program logic for a core part of ML [2, 26]. Extended ML =-=[38]-=- is a formal development framework for Standard ML. A specification is given by combining a module’ signature and algebraic axioms on them. Correctness of an implementation w.r.t. a specification is v... |

1 |
We define the notion “g1 is before g2 relative to r”. beforeR(g1,g2,r) ≡ (g1 ⊑r g2 ∧ ¬g1 ≺r g2) Thus beforeR(g1,g2,r) when g1 is less than g2 but g1 is not a prefix of g2. In other words, it says that g1 is less than g2 but not “above” g2, i.e. is not in
- Predicate
(Show Context)
Citation Context ...der functions and general data types such as products, sums and polymorphism. Results similar to observational completeness may not have been reported for their logics. Recent work by Birkedal et al. =-=[4]-=- presents a type system for Algol whose types are constructed from formulae of Separation Logic and whose typing is performed by 77slogical entailment, formalised by categorical semantics. Their type ... |

1 |
The notion “g1 is under g2 relative to r” is nothing but g2 ≺r g1. Dually we define “above” as
- “Under”, Predicate
(Show Context)
Citation Context ...es scale to more complex data structures. We treat directed acyclic graphs, or dags, which allow more sharing than trees. This example is treated as one of the benchmark examples by Bornat and others =-=[5]-=-. A dag has the same type as Tree, but its specification is more liberal. Again using S-expressions, dag τ (x) asserts x is a dag whose leaves are labelled as τ. The base case dag n (x) is the same as... |

1 |
The predicate sizeR(g,r,i) says that the number of nodes downwardly reachable from g w.r.t r is i. It is defined by induction on i (we give natural language definitions, from which their formal counterparts easily follow). – sizeR(g,r,1) holds iff, as wel
- Size
(Show Context)
Citation Context ... we have w ↩→ x, which contradicts x#w. Axiom 2 (1) is trivial by fv(σ(x)) = /0. Axiom 2 (2) is by Lemma 4.23 (4), while Axiom 2 (3) is by definition of the name closure. Axiom 2 (4) is by Lemma 4.23 =-=(6)-=-. Axiom 2 (5) is by Lemma 4.23 (2) and (3). The proof of Axiom 3 (1,2) are subsumed by that of Axiom 3 (2) below. Axiom 3 (2) is proved by Proposition 4.24 and the definition of the model of the evalu... |

1 | Simple type-theoretic foumdations for objecr-oriented programming - Pierce, Turner - 1993 |