## A Generic Complete Dynamic Logic for Reasoning about Purity and Effects

### Cached

### Download Links

Venue: | TO APPEAR IN FORMAL ASPECTS OF COMPUTING |

Citations: | 4 - 1 self |

### BibTeX

@MISC{Mossakowski_ageneric,

author = {Till Mossakowski and Lutz Schröder and Sergey Goncharov},

title = {A Generic Complete Dynamic Logic for Reasoning about Purity and Effects},

year = {}

}

### OpenURL

### Abstract

For a number of programming languages, among them Eiffel, C, Java, and Ruby, Hoare-style logics and dynamic logics have been developed. In these logics, pre- and postconditions are typically formulated using potentially effectful programs. In order to ensure that these pre- and postconditions behave like logical formulae (that is, enjoy some kind of referential transparency), a notion of purity is needed. Here, we introduce a generic framework for reasoning about purity and effects. Effects are modelled abstractly and axiomatically, using Moggi’s idea of encapsulation of effects as monads. We introduce a dynamic logic (from which, as usual, a Hoare logic can be derived) whose logical formulae are pure programs in a strong sense. We formulate a set of proof rules for this logic, and prove it to be complete with respect to a categorical semantics. Using dynamic logic, we then develop a relaxed notion of purity which allows for observationally neutral effects such writing on newly allocated memory.

### Citations

1422 | An axiomatic basis for computer programming
- Hoare
- 1969
(Show Context)
Citation Context ...r example, the Java modeling language JML comes with extended static analysis [5] and verification [26] tools. [6] treats contracts in a higher-order functional setting. Unlike Hoare’s original logic =-=[8]-=- and unlike some known formalisations of Hoarelogics in theorem provers like Isabelle and PVS [9, 27, 16], most of these languages do not have a separate language for expressing pre- and postcondition... |

938 |
Categories for the Working Mathematician
- Lane
- 1971
(Show Context)
Citation Context ...: A → T A, and ∗ assigns to each morphism f : A → T B a morphism f ∗ : T A → T B such that η ∗ A = idT A, f ∗ ηA = f, and g ∗ f ∗ = (g ∗ f) ∗ . This description is equivalent to the more familiar one =-=[11]-=-. In order to support a language with finitary operations and multi-variable contexts (see below), one needs a further ingredient: a monad is called strong if it is equipped with a natural transformat... |

762 |
Eiffel: The Language
- Meyer
- 1992
(Show Context)
Citation Context ...Design and programming by contract reduces software errors by providing specifications of Hoare-style pre- and postconditions and invariants along with the program. Originating in the Eiffel language =-=[12]-=-, this paradigm has become a guiding design principle for a number of languages, including Sather [17], Lisaac [24], Nice [3], and D [4]. Moreover, for many existing languages, among them C, C++, Java... |

743 | Notions of computation and monads
- Moggi
- 1991
(Show Context)
Citation Context ...soning in a way that abstracts from the details of the particular languages. The abstraction is achieved by encapsulating notions of effect and computation as monads, as originally suggested by Moggi =-=[13]-=- and used in the design of the functional programming language Haskell [18] as well as in programming semantics, e.g. for Java [10]. In earlier work [21, 23], we have developed a dynamic logic for gen... |

403 | Preliminary design of JML: a behavioral interface specification language for Java - Leavens, Baker, et al. |

214 | Semantical considerations on FloydHoare logic
- Pratt
- 1976
(Show Context)
Citation Context ...nally provide a coercion operation int2loc : Int → Loc (written e.g. as ”(*char)” in C, if characters are stored). 3 Monad-Based Dynamic Logic In program specification, dynamic logic as introduced in =-=[20]-=- and extended to monadic computations in [23] has a number of advantages over less expressive formalisms such as Hoare logic, among them the ability to express both partial and total correctness in a ... |

119 | Contracts for higher-order functions
- Findler, Felleisen
- 2002
(Show Context)
Citation Context ...reprocessors and other tools have been developed that support programming by contract; for example, the Java modeling language JML comes with extended static analysis [5] and verification [26] tools. =-=[6]-=- treats contracts in a higher-order functional setting. Unlike Hoare’s original logic [8] and unlike some known formalisations of Hoarelogics in theorem provers like Isabelle and PVS [9, 27, 16], most... |

97 | The LOOP compiler for Java and JML
- Berg, Jacobs
(Show Context)
Citation Context ...libraries, preprocessors and other tools have been developed that support programming by contract; for example, the Java modeling language JML comes with extended static analysis [5] and verification =-=[26]-=- tools. [6] treats contracts in a higher-order functional setting. Unlike Hoare’s original logic [8] and unlike some known formalisations of Hoarelogics in theorem provers like Isabelle and PVS [9, 27... |

89 | Categorical logic
- Pitts
- 1996
(Show Context)
Citation Context ... complete for the generic part of the calculus and linear sequential programs 4 . This setting is sufficient for our treatment of observational purity. Our logic is related to Pitts’ evaluation logic =-=[19]-=-, which in turn essentially puts the language-specific logic of [2] on a generic basis. Both these logics omit loops, like the restricted logic considered here, but unlike the full logic of [23]. In m... |

74 |
ESC/Java2: Uniting ESC/Java and JML
- Cok, Kiniry
- 2004
(Show Context)
Citation Context ...l, Python, and Ruby, libraries, preprocessors and other tools have been developed that support programming by contract; for example, the Java modeling language JML comes with extended static analysis =-=[5]-=- and verification [26] tools. [6] treats contracts in a higher-order functional setting. Unlike Hoare’s original logic [8] and unlike some known formalisations of Hoarelogics in theorem provers like I... |

62 | A dynamic logic for the formal verification of Java Card programs
- Beckert
- 2001
(Show Context)
Citation Context ...logic serves also the specification of monads, i.e. notions of side effect and purity. That is, effects 3 There are two dynamic logics for Java, one for the KIV prover [25], and on in the KeY project =-=[1]-=-. However, they neither address purity, nor are they generic. 4 The original calculus does feature generic loop constructs; however, absolute completeness results such as the one proved here are impos... |

55 | ESC/Java2: Uniting ESC/Java and JML: Progress and issues in building and using ESC/Java2, RUN NIII - Cok, Kiniry - 2004 |

36 | Findler and Matthias Felleisen. Contracts for higher-order functions - Bruce - 2002 |

32 |
The Sather Language
- Omohundro
- 1991
(Show Context)
Citation Context ...pre- and postconditions and invariants along with the program. Originating in the Eiffel language [12], this paradigm has become a guiding design principle for a number of languages, including Sather =-=[17]-=-, Lisaac [24], Nice [3], and D [4]. Moreover, for many existing languages, among them C, C++, Java, JavaScript, Scheme, Perl, Python, and Ruby, libraries, preprocessors and other tools have been devel... |

29 | Observational purity and encapsulation
- Naumann
- 2005
(Show Context)
Citation Context ...ticular allows harmless side-effects such as creating and writing on new references. This generic concept of observational purity is related to the programming language specific notion put forward in =-=[15]-=-. An interesting point here is that as a byproduct of our completeness proof, we obtain the existence of fully abstract categorical models, where observational equalities hold on the nose, and in part... |

24 | The Church-Rosser property and a result of combinatory logic. Dissertation - Hindley - 1964 |

23 |
Side Effects and Aliasing Can Have Simple Axiomatic Descriptions
- Boehm
- 1985
(Show Context)
Citation Context ... programs 4 . This setting is sufficient for our treatment of observational purity. Our logic is related to Pitts’ evaluation logic [19], which in turn essentially puts the language-specific logic of =-=[2]-=- on a generic basis. Both these logics omit loops, like the restricted logic considered here, but unlike the full logic of [23]. In more detail, the definition of our dynamic logic is based on a stric... |

22 | A formally verified calculus for full Java Card
- Stenzel
- 2004
(Show Context)
Citation Context ...cation of monadic programs, our logic serves also the specification of monads, i.e. notions of side effect and purity. That is, effects 3 There are two dynamic logics for Java, one for the KIV prover =-=[25]-=-, and on in the KeY project [1]. However, they neither address purity, nor are they generic. 4 The original calculus does feature generic loop constructs; however, absolute completeness results such a... |

20 | Hoare logics in Isabelle/HOL
- Nipkow
- 2002
(Show Context)
Citation Context ...n [26] tools. [6] treats contracts in a higher-order functional setting. Unlike Hoare’s original logic [8] and unlike some known formalisations of Hoarelogics in theorem provers like Isabelle and PVS =-=[9, 27, 16]-=-, most of these languages do not have a separate language for expressing pre- and postconditions. Instead, these are expressed in a pure subset of the programming language itself. The restriction to a... |

19 | A semantics for evaluation logic
- Moggi
- 1995
(Show Context)
Citation Context ...the state monad, the interpretation of formulae as state predicates is explicitly imposed by the chosen hyperdoctrine). Existing completeness results for monad-based logics rely on a global semantics =-=[14, 7]-=-, which e.g. for the state monad means that a sequence of nested modalities leads to universal quantification over all states at each new nesting level - the (implicit) state is not passed across nest... |

17 |
Oheimb. Hoare logic for Java
- von
(Show Context)
Citation Context ...n [26] tools. [6] treats contracts in a higher-order functional setting. Unlike Hoare’s original logic [8] and unlike some known formalisations of Hoarelogics in theorem provers like Isabelle and PVS =-=[9, 27, 16]-=-, most of these languages do not have a separate language for expressing pre- and postconditions. Instead, these are expressed in a pure subset of the programming language itself. The restriction to a... |

13 | Monad-independent dynamic logic in HasCasl
- Schroder, Mossakowski
(Show Context)
Citation Context ...on as monads, as originally suggested by Moggi [13] and used in the design of the functional programming language Haskell [18] as well as in programming semantics, e.g. for Java [10]. In earlier work =-=[21, 23]-=-, we have developed a dynamic logic for generic side effects whose semantics is defined in terms of monads; in particular, we have given a sound proof calculus for this logic. 3 Here, we extend the pr... |

12 | Varieties of effects - Führmann - 2002 |

10 | Monad-independent Hoare logic in HasCasl
- Schroder, Mossakowski
- 2003
(Show Context)
Citation Context ...on as monads, as originally suggested by Moggi [13] and used in the design of the functional programming language Haskell [18] as well as in programming semantics, e.g. for Java [10]. In earlier work =-=[21, 23]-=-, we have developed a dynamic logic for generic side effects whose semantics is defined in terms of monads; in particular, we have given a sound proof calculus for this logic. 3 Here, we extend the pr... |

10 | de Paiva. Computational types from a logical perspective - Benton, Bierman, et al. - 1995 |

9 |
Java program verification in higher order logic with PVS and Isabelle
- Huisman
- 2001
(Show Context)
Citation Context ...n [26] tools. [6] treats contracts in a higher-order functional setting. Unlike Hoare’s original logic [8] and unlike some known formalisations of Hoarelogics in theorem provers like Isabelle and PVS =-=[9, 27, 16]-=-, most of these languages do not have a separate language for expressing pre- and postconditions. Instead, these are expressed in a pure subset of the programming language itself. The restriction to a... |

6 | Generic exception handling and the Java monad
- Schröder, Mossakowski
- 2004
(Show Context)
Citation Context ...about changes of state. So far, no completeness result has been proved for such logics. A Hoare calculus has been built on top of MDL [21] and extended to a treatment of Java-style abrupt termination =-=[22, 29]-=-. Practical applications of MDL include reasoning about Haskell and the imperative fragment of Java. Numerous examples and a coding in the theorem prover Isabelle can be found in [28]. The completenes... |

4 | Mossakowski Parametrized Exceptions
- Walter, Schröder, et al.
- 2005
(Show Context)
Citation Context ...about changes of state. So far, no completeness result has been proved for such logics. A Hoare calculus has been built on top of MDL [21] and extended to a treatment of Java-style abrupt termination =-=[22, 29]-=-. Practical applications of MDL include reasoning about Haskell and the imperative fragment of Java. Numerous examples and a coding in the theorem prover Isabelle can be found in [28]. The completenes... |

3 |
The Nice user’s manual. http://nice. sourceforge.net/manual.html
- Bonniot, Keller, et al.
- 2008
(Show Context)
Citation Context ...and invariants along with the program. Originating in the Eiffel language [12], this paradigm has become a guiding design principle for a number of languages, including Sather [17], Lisaac [24], Nice =-=[3]-=-, and D [4]. Moreover, for many existing languages, among them C, C++, Java, JavaScript, Scheme, Perl, Python, and Ruby, libraries, preprocessors and other tools have been developed that support progr... |

3 |
Coalgebras and Monads in the Semantics of Java. Theoret
- Jacobs, Poll
(Show Context)
Citation Context ...f effect and computation as monads, as originally suggested by Moggi [13] and used in the design of the functional programming language Haskell [18] as well as in programming semantics, e.g. for Java =-=[10]-=-. In earlier work [21, 23], we have developed a dynamic logic for generic side effects whose semantics is defined in terms of monads; in particular, we have given a sound proof calculus for this logic... |

2 | Completeness of global evaluation logic
- Goncharov, Schröder, et al.
- 2006
(Show Context)
Citation Context ...the state monad, the interpretation of formulae as state predicates is explicitly imposed by the chosen hyperdoctrine). Existing completeness results for monad-based logics rely on a global semantics =-=[14, 7]-=-, which e.g. for the state monad means that a sequence of nested modalities leads to universal quantification over all states at each new nesting level - the (implicit) state is not passed across nest... |

2 | Lisaac: The power of simplicity at work for operating system - Sonntag, Colnet - 2002 |

2 | Monadic dynamic logic: Application and implementation
- Walter
- 2005
(Show Context)
Citation Context ...s also the (potentially loose) specification of monads, i.e. notions of side effect. The running example of [21, 23] involves references and non-determinism; numerous further examples can be found in =-=[28]-=-, including the Java monad and a parsing monad, as well as a queue monad over a fixed set U of entries. Here, we present the specification of a monad for dynamic references. It is axiomatized using Ho... |

1 |
The D programming language. Dr
- Bright
- 2002
(Show Context)
Citation Context ...nts along with the program. Originating in the Eiffel language [12], this paradigm has become a guiding design principle for a number of languages, including Sather [17], Lisaac [24], Nice [3], and D =-=[4]-=-. Moreover, for many existing languages, among them C, C++, Java, JavaScript, Scheme, Perl, Python, and Ruby, libraries, preprocessors and other tools have been developed that support programming by c... |

1 | Sergey Goncharov. A generic complete dynamic logic for reasoning about purity and effects - Mossakowski, Schröder |