## A theory of indirection via approximation (2010)

### Cached

### Download Links

Venue: | IN POPL |

Citations: | 16 - 9 self |

### BibTeX

@INPROCEEDINGS{Hobor10atheory,

author = {Aquinas Hobor and Robert Dockins and Andrew W. Appel},

title = {A theory of indirection via approximation},

booktitle = {IN POPL},

year = {2010},

publisher = {}

}

### OpenURL

### Abstract

Building semantic models that account for various kinds of indirect reference has traditionally been a difficult problem. Indirect reference can appear in many guises, such as heap pointers, higher-order functions, object references, and shared-memory mutexes. We give a general method to construct models containing indirect reference by presenting a “theory of indirection”. Our method can be applied in a wide variety of settings and uses only simple, elementary mathematics. In addition to various forms of indirect reference, the resulting models support powerful features such as impredicative quantification and equirecursion; moreover they are compatible with the kind of powerful substructural accounting required to model (higher-order) separation logic. In contrast to previous work, our model is easy to apply to new settings and has a simple axiomatization, which is complete in the sense that all models of it are isomorphic. Our proofs are machine-checked in Coq.

### Citations

588 | A syntactic approach to type soundness
- Wright, Felleisen
- 1994
(Show Context)
Citation Context ...ctic representations of program text to reason about function calls [CO78]. Syntactic accounts of general references have been studied by Harper [Har94], Harper and Stone [HS97], Wright and Felleisen =-=[WF94]-=-, and others. Crary developed TALT, a typed assembly language which had indirection due to both data references and code pointers [Cra03]. Defining Hoare-style logics using syntactic methods is a comm... |

249 | Formal certification of a compiler back-end, or: programming a compiler with a proof assistant - Leroy - 2006 |

179 | Resources, concurrency, and local reasoning - O’Hearn |

157 | An Introduction to Substructural Logics - Restall - 2000 |

105 | The Semantics and Proof Theory of the Logic of Bunched Implications, volume 26 of Applied Logic Series - Pym - 2002 |

90 | A Type-Theoretic Interpretation of Standard ML
- Harper, Stone
- 2000
(Show Context)
Citation Context ...ers on Hoare logic used syntactic representations of program text to reason about function calls [CO78]. Syntactic accounts of general references have been studied by Harper [Har94], Harper and Stone =-=[HS97]-=-, Wright and Felleisen [WF94], and others. Crary developed TALT, a typed assembly language which had indirection due to both data references and code pointers [Cra03]. Defining Hoare-style logics usin... |

88 | Toward a foundational typed assembly language
- Crary
(Show Context)
Citation Context ...y Harper [Har94], Harper and Stone [HS97], Wright and Felleisen [WF94], and others. Crary developed TALT, a typed assembly language which had indirection due to both data references and code pointers =-=[Cra03]-=-. Defining Hoare-style logics using syntactic methods is a common choice [Sch97, Ohe01, Sch06]. However, even when the Hoare derivations are syntactic, it is nearly ubiquitous in mechanically verified... |

84 | Local Action and Abstract Separation Logic
- Calcagno, O’Hearn, et al.
- 2007
(Show Context)
Citation Context ... the logic of Bunched Implications (BI). Our Kripke semantics is similar but not identical to those of Pym [Pym02, Chapter 4] and Restall [Res00, Chapter 11]. We take inspiration from Calcagno et al. =-=[COY07]-=-, who define structures they call separation algebras (SA), which they use as semantic models of separation logic. The main idea is that SAs define a partial operation ⊕ which combines two “disjoint” ... |

69 | State-dependent representation independence
- Ahmed, Dreyer, et al.
- 2009
(Show Context)
Citation Context ...oblem domains require predicates to appear in negative positions (the left side of arrows). For example, the recent result of Ahmed et al., which applies stepindexing to reason about data abstraction =-=[ADR09]-=-, requires such flexibility. We have defined, on paper and in Coq, a straightforward 10 Keeping with our informal style, we will abuse notation by writing [Pα ⇒ X] ψ to mean the substitution of the pr... |

66 | Oracle semantics for concurrent separation logic
- Hobor, Appel, et al.
- 2008
(Show Context)
Citation Context ...to modify the techniques to apply to other domains. Hobor et al. applied these techniques to Hoare logics, developing a model for a concurrent separation logic (CSL) with firstclass locks and threads =-=[HAZ08]-=-. This model was extremely complex to construct because the substructural accounting was woven throughout the stratification. It was also complex to use, exposing more than fifty axioms.Even then, the... |

60 | BI-hyperdoctrines, higher-order separation logic, and abstraction
- Biering, Birkedal, et al.
(Show Context)
Citation Context ...esults. To our knowledge, no attempt has yet been made to mechanize this metric space approach. BI Hyperdoctrines. BI hyperdoctrines are category-theoretic models of higher-order bunched implications =-=[BBTS07]-=-. BI hyperdoctrines provide: higher-order logic, the standard BI connectives, recursive definitions, and impredicative quantification. But the published BI-hyperdoctrine model does not appear to suppo... |

58 | Semantics of Types for Mutable State
- Ahmed
- 2004
(Show Context)
Citation Context ...we will show how to construct the types nat and ref τ. 2.2 General references in von Neumann machines Modeling a type system with general references for von Neumann machines was solved first by Ahmed =-=[Ahm04]-=-, and then later in a more sophisticated way by Appel et al. [AMRV07]. The key is that whereas in the λ-calculus types are based on sets of values, on a von Neumann machine types are based on sets of ... |

49 | Verification of Sequential Imperative Programs in Isabelle/HOL - Schirmer - 2006 |

36 | Variables as resource in hoare logics
- Parkinson, Bornat, et al.
- 2006
(Show Context)
Citation Context ... 8When defining an SA over O (the local variables), we can either choose to use a trivial SA, or we can choose to define a similar pointwise SA. The second choice leads to a “variables as resources” =-=[PBC06]-=- style of separation logic, whereas the former choice leads to a presentation where local variables are not separated. SAs for other models can be built by using various combinations of products, copr... |

33 | A fresh look at separation algebras and share accounting
- Dockins, Hobor, et al.
- 2009
(Show Context)
Citation Context ... program syntax. • Support for a stack pointer, and both local and global variables. • Substructural accounting to model separating conjunction, using the sophisticated share models of Dockins et al. =-=[DHA09]-=-. • Byte addressability, along with a requirement that the four bytes of a word-sized lock must not get separated. Thus, the model requires a significant superset of the features provided by the model... |

31 |
Possible world semantics for general storage in call-by-value
- Levy
- 2002
(Show Context)
Citation Context ...rdoctrine model does not appear to support indirection, i.e. the kinds of settings in §2. The techniques used for domain-theoretic models of indirection (e.g. Day’s construction in functor categories =-=[Lev02]-=-) could perhaps be applied to BI hyperdoctrines. Like the domain-theoretic methods, methods based on advanced category theory require a great deal of background in the field to understand and utilize.... |

28 | Hoare logics for recursive procedures and unbounded nondeterminism
- Nipkow
- 2002
(Show Context)
Citation Context ...ous in mechanically verified proofs for the assertion language to be purely semantic; that is, assertions are identified with predicates on program states (perhaps together with other auxiliary data) =-=[Nip02]-=-. In these applications, indirection helps solve problems of indirect reference, especially if one wishes to embed semantic assertions (or types) into program syntax or operational semantics. One coul... |

20 | A step-indexed model of substructural state
- Ahmed, Fluet, et al.
- 2005
(Show Context)
Citation Context ...odel of memory/heap typings used for general references. 2.4 Substructural state Ahmed et al. used substructural state to model the uniqueness types found in languages such as Clean, Cyclone, and TAL =-=[AFM05]-=-. Here the intuitive model has two changes: quals ≡ {U, R, A, L} type ≡ (memtype × quals × value) → T memtype ≈ address ⇀ quals × type. The quals indicate substructural restrictions: U indicates unres... |

20 | A relational modal logic for higher-order stateful ADTs
- Dreyer, Neis, et al.
- 2010
(Show Context)
Citation Context ...We have a model proved in Coq (and on paper), but unfortunately it is not as straightforward to construct. We hypothesize that this model could be used to mechanize the recent result of Dreyer et al. =-=[DNRB10]-=-. 11. Limitations of indirection theory Indirection theory is a powerful technique for those problems to which it applies, but it is worthwhile to examine some limitations. First, indirection theory o... |

19 | The category-theoretic solution of recursive metric-space equations
- Birkedal, Støvring, et al.
(Show Context)
Citation Context ... “dealing with all the structural morphisms is still awkward” in their system [BKV09]. Ultrametric Spaces. Birkedal et al. solve recursive domain equations using certain classes of ultrametric spaces =-=[BST09]-=-. Their approach is similar in spirit to domain theory, where semantic domains are built in some higher category, but uses a foundation built on metric spaces rather than partially ordered sets. Given... |

19 | Analyzing Java in Isabelle/HOL: Formalization, Type Safety and Hoare Logic - Oheimb - 2001 |

19 | Auxiliary variables and recursive procedures - Schreiber - 1997 |

18 | Logical step-indexed logical relations - Dreyer, Ahmed, et al. - 2009 |

18 | Noam Rinetzky, and Mooly Sagiv. Local reasoning for storable locks and threads - Gotsman, Berdine, et al. - 2007 |

18 | Logic for Computable Functions: Description of a Machine Implementation - Milner - 1972 |

17 | An indexed model of impredicative polymorphism and mutable references. http://www.cs.princeton.edu/~amal/papers/impred.pdf
- Ahmed, Appel, et al.
- 2003
(Show Context)
Citation Context ...ting the original model was a difficult task. 2.1 General references in the λ-calculus Ahmed et al. constructed the first model of a type system for the polymorphic λ-calculus with general references =-=[AAV03]-=-. Following (1), we want a solution to the pseudoequation memtype ≈ address ⇀ ((memtype × value) → T), which falls neatly into the pattern of pseudoequation (2) with F (X) ≡ address ⇀ X O ≡ value. By ... |

17 | Compiling functional types to relational specifications for low level imperative code
- Benton, Tabareau
- 2009
(Show Context)
Citation Context .... However, although indirection theory was designed to dovetail with the VMM, they are in fact orthogonal and either system can be used without the other. After Appel et al., both Benton and Tabareau =-=[BT09]-=- and Ahmed et al. [ADR09] constructed modal models without indirection theory. Indeed, it is possible and useful to build a modal logic even when the setting does not have the contravariant circularit... |

14 |
Unrestricted procedure calls in Hoare’s logic
- Cartwright, Oppen
- 1978
(Show Context)
Citation Context ... Syntactic methods. There is a long history of using syntactic methods to handle indirection. Early papers on Hoare logic used syntactic representations of program text to reason about function calls =-=[CO78]-=-. Syntactic accounts of general references have been studied by Harper [Har94], Harper and Stone [HS97], Wright and Felleisen [WF94], and others. Crary developed TALT, a typed assembly language which ... |

14 | Continuous lattices and domains, volume 93 of Encyclopedia of Mathematics and its Applications - Gierz, Hofmann, et al. - 2003 |

12 | Some domain theory and denotational semantics in Coq
- Benton, Kennedy, et al.
- 2009
(Show Context)
Citation Context .... Simply building up the required theory takes quite a bit of effort. Many attempts have been made to mechanize domain theory [Mil72, MNOS99, Age06], including a recent effort in Coq by Benton et al. =-=[BKV09]-=-. However, all these systems seem to stop short of developing a full suite of domain theory. For example, we are aware of no mechanization which develops as far as the theory of algebraic bounded-comp... |

11 |
Jérôme Vouillon. A very modal model of a modern, major, general type system
- Appel, Melliès, et al.
- 2007
(Show Context)
Citation Context ...eferences in von Neumann machines Modeling a type system with general references for von Neumann machines was solved first by Ahmed [Ahm04], and then later in a more sophisticated way by Appel et al. =-=[AMRV07]-=-. The key is that whereas in the λ-calculus types are based on sets of values, on a von Neumann machine types are based on sets of register banks. Here is the intuition for a von Neumann machine with ... |

10 | Semantic foundations for typed assembly languages - AHMED, APPEL, et al. |

9 |
von Oheimb, and Oskar Slotosch
- Müller, Nipkow, et al.
- 1999
(Show Context)
Citation Context ...red base theory is developed, the tedium of verifying the properties of structured morphisms (e.g, monotonicity, continuity, etc.) can still be a major hurdle. Much of the development effort in HOLCF =-=[MNOS99]-=- was devoted to alleviating this pain, and Benton et al. claim that “dealing with all the structural morphisms is still awkward” in their system [BKV09]. Ultrametric Spaces. Birkedal et al. solve recu... |

8 | and Sandrine Blazy. Separation logic for small-step Cminor - Appel |

8 | Domain theory in HOL - Agerholm - 1994 |

6 |
Oracle Semanatics
- Hobor
- 2008
(Show Context)
Citation Context ... et al. developed the first model that combined all these elements, but it was extremely complicated [HAZ08]; later Hobor presented a partially simplified model, which took dozens of pages to explain =-=[Hob08]-=-. Indirection theory can define the model much more easily. kind ≡ VAL + LK + FUN + CT + RES pred ≡ (rmap × mem × locals × sp × gmap) → T preds ≡ Σ(A : Type). list (A → pred) res ≡ NO + YES of (kind ×... |

6 | A step-indexed semantics of imperative objects
- Hriţcu, Schwinghammer
- 2009
(Show Context)
Citation Context ...he von Neumann case, but does not cause any fundamental difficulties. 2.3 Object references Hrit¸cu and Schwinghammer modeled general references in the setting of Abadi and Cardelli’s object calculus =-=[HS08]-=-. The object calculus setting introduces a number of new issues: object creation, method updates, and bounded subtyping. To model the storage of methods in the heap, Hrit¸cu and Schwinghammer would li... |

2 |
Aquinas Hobor. Multimodal separation logic for reasoning about operational semantics
- Dockins, Appel
(Show Context)
Citation Context ...ing must grow as well. But how do we know that our old locations are still well-typed under the new memory typing? There are several choices; here we follow the “multimodal” pattern of Dockins et al. =-=[DAH08]-=-. A world w is a pair of knot k and other data o. Given a relation R : world → world, define the modal operator □R as usual: 5 □R τ ≡ λw. ∀w ′ . wRw ′ ⇒ τ(w ′ ). (24) We call this setting multimodal b... |