separation logic 3/4marche/mpri-2-36-1/2016/seplogic3_print4.pdf · separation logic 3/4 arthur...

Separation Logic3/4

Arthur Chargueraud

Febuary 18th, 2016

1 / 78

Chapter 14

Higher-order iteration

2 / 78

Apply

let apply f x =

f x

Specification:

@𝑓𝑥𝐻𝑄. t𝐻 ‹ r t𝐻u p𝑓 𝑥q t𝑄u su papply 𝑓 𝑥q t𝑄u

To improve readability, we extract pure facts out of pre-conditions:

@𝑓𝑥𝐻𝑄. t𝐻u p𝑓 𝑥q t𝑄u

ñ t𝐻u papply 𝑓 𝑥q t𝑄u

3 / 78

Apply on a reference

let refapply r f =

r := f !r

Exercise: specify the function refapply, first assuming f to be pure,then assuming f to modify the state from 𝐻 to 𝐻 1.Hint: introduce a pure predicate of the form 𝑃 𝑥 𝑦.

@𝑟𝑓𝑥. tr su p𝑓 𝑥q t𝜆𝑦. r𝑃 𝑥 𝑦su

ñ t𝑟 ÞÑ 𝑥u prefapply 𝑟 𝑓q t𝜆 . DD𝑦. r𝑃 𝑥 𝑦s ‹ 𝑟 ÞÑ 𝑦u

@𝑟𝑓𝑥𝐻𝐻 1. t𝐻u p𝑓 𝑣q t𝜆𝑦. r𝑃 𝑥 𝑦s ‹ 𝐻 1u

ñ tp𝑟 ÞÑ 𝑥q ‹ 𝐻u

prefapply 𝑟 𝑓q

t𝜆 . DD𝑦. r𝑃 𝑥 𝑦s ‹ p𝑟 ÞÑ 𝑦q ‹ 𝐻 1u

4 / 78

Function twice

let twice f =

f(); f()

Correct specification, but not so useful:

@𝑓𝐻𝑄. t𝐻u p𝑓 pq ; 𝑓 pqq t𝑄u

ñ t𝐻u ptwice 𝑓q t𝑄u

Better specification:

@𝑓𝐻𝑄1𝑄. t𝐻u p𝑓 pqq t𝑄1u

^ t𝑄1 pqu p𝑓 pqq t𝑄u

ñ t𝐻u ptwice 𝑓q t𝑄u

5 / 78

Function repeat

let repeat n f =

for i = 0 to n-1 do

f()

done

Exercise: specify repeat, using an invariant 𝐼, of type int Ñ Hprop.

@𝑛𝑓𝐼. p@𝑖 P r0, 𝑛q. t𝐼 𝑖u p𝑓 pqq t𝜆 . 𝐼 p𝑖` 1quq

ñ t𝐼 0u prepeat𝑛 𝑓q t𝜆 . 𝐼 𝑛u

The premise consists of a family of hypotheses describing the behavior ofapplications of 𝑓 to particular arguments.

6 / 78

Iteration over a pure list

let rec iter f l =

match l with

| [] -> ()

| x::t -> f x; iter f t

Specification, using an invariant 𝐼 of type: list𝛼Ñ Hprop.

@𝑓𝑙𝐼.`

@𝑥𝑘. t𝐼 𝑘u p𝑓 𝑥q t𝜆 . 𝐼 p𝑘&𝑥qu˘

ñ t𝐼 nilu piter 𝑓 𝑙q t𝜆 . 𝐼 𝑙u

where 𝑘&𝑥 ” 𝑘` p𝑥 :: nilq.

7 / 78

Length using iter`



let length l =

let r = ref 0 in

iter (fun x -> incr r) l;

!r

Exercise: give the instantiatiation of 𝐼, write the specialization of thespecification of iter to 𝐼 and to (fun x -> incr r), in order to checkthat the premise is provable, and that the code indeed computes thelength of the list given as argument.

Invariant: 𝐼 ” 𝜆𝑘. 𝑟 ÞÑ |𝑘|.

`

@𝑥𝑘. t𝑟 ÞÑ |𝑘|u pincr rq t𝜆 . 𝑟 ÞÑ |𝑘| ` 1u˘

ñ t𝑟 ÞÑ 0u piter 𝑓 𝑙q t𝜆 . 𝑟 ÞÑ |𝑙|u

8 / 78

Sum using iter

`



let sum l =

let r = ref 0 in

iter (fun x -> r := !r + x) l;

!r

Exercise: give the invariant 𝐼 involved in the above call to iter.

𝐼 ” 𝜆𝑘. 𝑟 ÞÑ Sum 𝑘

where:Sum 𝑘 ” Fold p`q 0 𝑘

9 / 78

Constraints over the items

`



Consider a list 𝑥1 :: 𝑥2 :: ... :: 𝑥𝑛. Let us compute:?𝑥1 ` ...`

?𝑥𝑛.

iter (fun x -> r := !r +. sqrt x) [2.0; 3.0]

The above specification of iter is too weak. More general specification:

@𝑓𝐼𝑙.`

@𝑥𝑘. 𝑥 P 𝑙 ñ t𝐼 𝑘u p𝑓 𝑥q t𝜆 . 𝐼 p𝑘&𝑥qu˘


10 / 78

Constraints over the items, in order

@𝑓𝐼𝑙.`



Consider a list 𝑥1 :: 𝑥2 :: ... :: 𝑥𝑛. Let us compute:b

a?𝑥1 ` 𝑥2 ` 𝑥3.

iter (fun x -> r := sqrt (!r +. x)) [2.; -1.; 3.]

The above specification of iter is too weak. Most-general specification:

@𝑓𝐼𝑙.`

@𝑥𝑘𝑠. 𝑙 “ 𝑘` 𝑥 :: 𝑠 ñ t𝐼 𝑘u p𝑓 𝑥q t𝜆 . 𝐼 p𝑘&𝑥qu˘


11 / 78

Invariant on remaining items

`



`

@.... t...u p𝑓 𝑥q t𝜆 . ...u˘

ñ t𝐼 1 𝑙u piter 𝑓 𝑙q t𝜆 . 𝐼 1 nilu

Exercise: specify iter using an invariant that depends on the list ofitems remaining to process, instead of on the list of items alreadyprocessed. Then, prove the new specification derivable from the old one.

`

@𝑥𝑠. t𝐼 1 p𝑥 :: 𝑠qu p𝑓 𝑥q t𝜆 . 𝐼 1 𝑠u˘

ñ t𝐼 1 𝑙u piter 𝑓 𝑙q t𝜆 . 𝐼 1 nilu

Derivable using: 𝐼 ” 𝜆𝑘. DD𝑠. r𝑙 “ 𝑘` 𝑠s ‹ 𝐼 1 𝑠.

12 / 78

Iterating over a mutable list

let rec miter f p =

if p == null

then ()

else (f p.hd; miter f p.tl)

13 / 78

Iterating over a mutable list

@𝑓𝑙𝐼.`



Specification:

@𝑓𝑝𝐼𝑙.`


ñ t𝑝 Mlist 𝑙 ‹ 𝐼 nilu pmiter 𝑓 𝑝q t𝜆 . 𝑝 Mlist 𝑙 ‹ 𝐼 𝑙u

Remark: calls to 𝑓 cannot modify the structure of the list while iterating.

14 / 78

Verification of iter`



let rec iter f l =

match l with

| [] -> ()


How to prove that the code satisfies its specification?

15 / 78

Verification of iter

Assume:@𝑥𝑘. t𝐼 𝑘u p𝑓 𝑥q t𝜆 . 𝐼 p𝑘&𝑥qu

Prove:t𝐼 nilu piter 𝑓 𝑙q t𝜆 . 𝐼 𝑙u

Proof by induction over a generalized statement:

@𝑘𝑠. t𝐼 𝑘u piter 𝑓 𝑠q t𝜆 . 𝐼 p𝑘` 𝑠qu

16 / 78

Verification of iter

let rec iter f s =

match s with

| [] -> ()


Assume: @𝑥𝑘. t𝐼 𝑘u p𝑓 𝑥q t𝜆 . 𝐼 p𝑘&𝑥qu

Prove: @𝑘𝑠. t𝐼 𝑘u piter 𝑓 𝑠q t𝜆 . 𝐼 p𝑘` 𝑠qu

By induction on 𝑠:

§ Case 𝑠 “ nil. Goal is: t𝐼 𝑘u piter 𝑓 nilq t𝜆 . 𝐼 p𝑘` nilqu.This triple simplifies to: t𝐼 𝑘u pq t𝜆 . 𝐼 𝑘u, which is correct.

§ Case 𝑠 “ 𝑥 :: 𝑡. Goal is: t𝐼 𝑘u piter 𝑓 p𝑥 :: 𝑡qq t𝜆 . 𝐼 p𝑘` p𝑥 :: 𝑡qqu.

hypothesis-on-f

t𝐼 𝑘u p𝑓 𝑥q t𝜆 . 𝐼 p𝑘&𝑥qu

induction-hypothesis

t𝐼 p𝑘&𝑥qu piter 𝑓 𝑡q t𝜆 . 𝐼 pp𝑘&𝑥q` 𝑡qu

t𝐼 𝑘u p𝑓 𝑥; iter 𝑓 𝑡q t𝐼 pp𝑘&𝑥q` 𝑡quseq

17 / 78

Summary

Simplified: `



Order-irrelevant:`



Most-general:`



Extension to mutable lists:`


ñ t𝑝 Mlist 𝑙 ‹ 𝐼 nilu pmiter 𝑓 𝑝q t𝜆 . 𝑝 Mlist 𝑙 ‹ 𝐼 𝑙u

18 / 78

Chapter 15

Other classic higher-order functions

19 / 78

Fold-left

let rec fold_left f a l =

match l with

| [] -> a

| x::k -> fold_left f (f a x) k

Example:

fold_left 𝑓 𝑎 r6 :: 4 :: 7s “ 𝑓 p𝑓 p𝑓 𝑎 6q 4q 7

Specification:

@𝑓𝑎𝑙𝐽.`

@𝑥𝑖𝑘. t𝐽 𝑖 𝑘u p𝑓 𝑖 𝑥q t𝜆𝑗. 𝐽 𝑗 p𝑘&𝑥qu˘

ñ t𝐽 𝑎 nilu pfold_left 𝑓 𝑎 𝑙q t𝜆𝑏. 𝐽 𝑏 𝑙u

20 / 78

Application of fold-left

@𝑓𝑎𝑙𝐽.`


ñ t𝐽 𝑎 nilu pfold left 𝑓 𝑎 𝑙q t𝜆𝑏. 𝐽 𝑏 𝑙u

let r = ref 0

let count_and_sum l =

fold_left (fun a x -> incr r; a+x) 0 l

Exercise: give the instantiation of the invariant 𝐽 in the code above.

𝐽 𝑖 𝑘 ” p𝑟 ÞÑ |𝑘|q ‹ r𝑖 “ Sum 𝑘s

where Sum 𝑘 ” Fold p`q 0 𝑘.

21 / 78

Fold-right

let rec fold_right f l a =

match l with

| [] -> a

| x::k -> f x (fold_right f k a)

Example:fold 𝑓 r6 :: 4 :: 7s 𝑎 ” 𝑓 6 p𝑓 4 p𝑓 7 𝑎qq

Exercise: give a specification for fold_right.

@𝑓𝑙𝑎𝐽.`

@𝑥𝑖𝑘. t𝐽 𝑖 𝑘u p𝑓 𝑥 𝑖q t𝜆𝑗. 𝐽 𝑗 p𝑥 :: 𝑘qu˘

ñ t𝐽 𝑎 nilu pfold_right 𝑓 𝑙 𝑎q t𝜆𝑏. 𝐽 𝑏 𝑙u

22 / 78

Map: simple specification for pure functions

let rec map f l =

match l with

| [] -> []

| x::k -> (f x)::(map f k)

Simple specification, for the case where f is pure:

@𝑓𝑙𝑃. p@𝑥. tr su p𝑓 𝑥q t𝜆𝑥1. r𝑃 𝑥𝑥1suq

ñ tr su pmap 𝑓 𝑙q t𝜆𝑙1. rForall2𝑃 𝑙 𝑙1su

where:

Forall2𝑃 nil nil

𝑃 𝑥𝑥1 Forall2𝑃 𝑙 𝑙1

Forall2𝑃 p𝑥 :: 𝑙q p𝑥1 :: 𝑙1q

23 / 78

Map: general specification

Specification of map:

@𝑓𝑙𝑃. p@𝑥. tr su p𝑓 𝑥q t𝜆𝑥1. r𝑃 𝑥𝑥1suq

ñ tr su pmap 𝑓 𝑙q t𝜆𝑙1. rForall2𝑃 𝑙 𝑙1su

Specification of iter:

@𝑓𝑙𝐼.`



Combining the two:

@𝑓𝑙𝑃𝐼.`

@𝑥𝑘. t𝐼 𝑘u p𝑓 𝑥q t𝜆𝑥1. r𝑃 𝑥𝑥1s ‹ 𝐼 p𝑘&𝑥qu˘

ñ t𝐼 nilu pmap 𝑓 𝑙q t𝜆𝑙1. rForall2𝑃 𝑙 𝑙1s ‹ 𝐼 𝑙u

24 / 78

Map: general specification, alternative

@𝑓𝑙𝑃𝐼.`

@𝑥𝑘. t𝐼 𝑘u p𝑓 𝑥q t𝜆𝑥1. r𝑃 𝑥𝑥1s ‹ 𝐽 p𝑘&𝑥qu˘

ñ t𝐼 nilu pmap 𝑓 𝑙q t𝜆𝑙1. rForall2𝑃 𝑙 𝑙1s ‹ 𝐼 𝑙u

Alternative specification:

@𝑓𝑙𝐽 1.`

@𝑥𝑘𝑘1. t𝐽 1 𝑘 𝑘1u p𝑓 𝑥q t𝜆𝑥1. 𝐽 p𝑘&𝑥q p𝑘1&𝑥1qu˘

ñ t𝐽 1 nil nilu pmap 𝑓 𝑙q t𝜆𝑙1. 𝐽 1 𝑙 𝑙1u

Above specification derivable from the previous one:

𝐽 1 𝑘 𝑘1 ” rForall2𝑃 𝑘 𝑘1s ‹ 𝐼 𝑘

25 / 78

Sorting with comparison function

Example:

List.sort (fun x y -> x - y) [2;4;5;3;2;9]

Specification:

@𝑓𝑙. @pĺq.total-order pĺq

^ p@𝑥𝑦. tr su p𝑓 𝑥 𝑦q t𝜆𝑛. r𝑛 ď 0ô 𝑥 ĺ 𝑦suq

ñ tr su psort 𝑓 𝑙q t𝜆𝑙1. rpermut 𝑙 𝑙1 ^ sorted pĺq 𝑙1su

More general specification of comparison functions:

tr su p𝑓 𝑥 𝑦q t𝜆𝑛. rif𝑛 “ 0 then𝑥 « 𝑦 else if𝑛 ă 0 then𝑥 ă 𝑦 else𝑥 ą 𝑦su

26 / 78

Find with a boolean predicate, on pure lists

let rec find f l =

match l with

| [] -> None

| x::k -> if f x

then Some x

else find f k

Specification:

@𝑓𝑙𝑃. p@𝑥. tr su p𝑓 𝑥q t𝜆𝑏. r𝑏 “ true ô 𝑃 𝑥suq

ñ tr su pfind 𝑓 𝑙q t𝜆𝑜. r match 𝑜with|None ñ Forall p 𝑃 q 𝑙| Some𝑥ñ D𝑘𝑡. 𝑙 “ 𝑘` 𝑥 :: 𝑡

^ Forall p 𝑃 q 𝑘 ^ 𝑃 𝑥

su

27 / 78

Find with a boolean predicate, on mutable lists

Specification:

@𝑓𝑝𝑙𝑃. p@𝑥. tr su p𝑓 𝑥q t𝜆𝑏. r𝑏 “ true ô 𝑃 𝑥suq

ñ t𝑝 Mlist 𝑙u

pmfind 𝑓 𝑝q

t𝜆𝑜.match 𝑜with|None ñ 𝑝 Mlist 𝑙 ‹ rForall p 𝑃 q 𝑙s| Some 𝑞 ñ DD𝑘𝑡. 𝑝 MlistSeg 𝑞 𝑘 ‹ 𝑞 Mlist p𝑥 :: 𝑡q

‹ r𝑙 “ 𝑘` 𝑥 :: 𝑡 ^ Forall p 𝑃 q 𝑘 ^ 𝑃 𝑥s

u

28 / 78

Summary

`



`


ñ t𝐽 𝑎 nilu pfold 𝑓 𝑎 𝑙q t𝜆𝑏. 𝐽 𝑏 𝑙u

`

@𝑥𝑘𝑘1. t𝐽 𝑘 𝑘1u p𝑓 𝑥q t𝜆𝑥1. 𝐽 p𝑘&𝑥q p𝑘1&𝑥1qu˘

ñ t𝐽 nil nilu pmap 𝑓 𝑙q t𝜆𝑙1. 𝐽 𝑙 𝑙1u

§ Add the hypothesis 𝑙 “ 𝑘` 𝑥 :: 𝑠 if the position of 𝑥 matters.

§ Boolean predicates: @𝑥. tr su p𝑓 𝑥q t𝜆𝑏. r𝑏 “ true ô 𝑃 𝑥su.

§ Order functions: @𝑥𝑦. tr su p𝑓 𝑥 𝑦q t𝜆𝑛. r𝑛 ď 0ô 𝑥 ĺ 𝑦su.

29 / 78

Chapter 16

Higher-order representation predicates

30 / 78

Overview

1. Higher-order predicate:

𝑝 Mlist𝐿 is generalized into 𝑝 Mlistof𝑅𝐿

2. Identity representation predicate:

𝑝 Mlistof Id𝐿 is the same as 𝑝 Mlist𝐿

3. Control accesses:

t𝑝 Mcellof Id 𝑣1𝑅2 𝑉2u p𝑝.hdq t𝜆𝑥. r𝑥 “ 𝑣1s ‹ ...u

4. Compose recursively:

𝑝 Nodeof𝑅𝑋 pMlistof pNarytreeof𝑅qq𝐿

31 / 78

Mutable list of possibly-aliased lists

𝑝 Mlist𝐾 ‹

˜

æ

p𝑝𝑖, 𝐿𝑖q P 𝑀

𝑝𝑖 Mlist𝐿𝑖

¸

‹ r@𝑝𝑖 P 𝐾. 𝑝𝑖 P dom𝑀 s

32 / 78

Mutable list of disjoint mutable lists

𝐿 “ p5::7 ::nilq ::p8::3 ::3 ::nilq::pnilq ::p4::nilq :: nil

𝑝 MlistofMlist𝐿

(to be later generalized into: 𝑝 Mlistof𝑅𝐿)

33 / 78

Representation using iterated star


𝐾 “ 𝑝1 :: 𝑝2 :: 𝑝3 :: 𝑝4 :: nil

𝑝 MlistofMlist𝐿 ” DD𝐾. 𝑝 Mlist𝐾

‹Æ

𝑖 P r0, |𝐿|q p𝐾r𝑖sq Mlist p𝐿r𝑖sq

‹ r |𝐾| “ |𝐿| s

34 / 78

Representation using a recursive predicate


𝑝 MlistofMlist𝐿 ” match𝐿with| nil ñ r𝑝 “ nulls|𝑋 :: 𝐿1 ñ DD𝑥𝑝1. 𝑝 ÞÑ t|hd=𝑥; tl=𝑝1|u

‹ 𝑝1 MlistofMlist𝐿1

‹ 𝑥 Mlist𝑋

35 / 78

Generalization to a higher-order predicate

𝑝 MlistofMlist𝐿 ” match𝐿with| nil ñ r𝑝 “ nulls|𝑋 :: 𝐿1 ñ DD𝑥𝑝1. 𝑝 ÞÑ t|hd=𝑥; tl=𝑝1|u

‹ 𝑝1 MlistofMlist𝐿1

‹ 𝑥 Mlist𝑋

Generalization:

𝑝 Mlistof𝑅𝐿 ” match𝐿with| nil ñ r𝑝 “ nulls|𝑋 :: 𝐿1 ñ DD𝑥𝑝1. 𝑝 ÞÑ t|hd=𝑥; tl=𝑝1|u

‹ 𝑝1 Mlistof𝑅𝐿1

‹ 𝑥 𝑅𝑋

In particular:

𝑝 MlistofMlist𝐿 “ 𝑝 Mlistof Mlist𝐿

36 / 78

Type-checking

𝑝 Mlistof𝑅𝐿 is a notation for Mlistof𝑅𝐿𝑝 pof type Hpropq𝑥 𝑅𝑋 is a notation for 𝑅𝑋 𝑥 pof type Hpropq



‹ 𝑥 𝑅𝑋

Exercise: assuming that 𝑥 has type 𝑎 and 𝑋 has type 𝐴. (Recall 𝑝 : loc.)What is the type of 𝑅? What is the type of Mlistof?

§ 𝑅 : 𝐴Ñ 𝑎Ñ Hprop

§ Mlistof : @𝐴𝑎. p𝐴Ñ 𝑎Ñ Hpropq Ñ list𝐴Ñ loc Ñ Hprop

37 / 78

The identity representation predicate



‹ 𝑥 𝑅𝑋

𝑝 Mlist𝐿 ” match𝐿with

| nil ñ r𝑝 “ nulls

|𝑥 :: 𝐿1 ñ DD𝑝1. 𝑝 ÞÑ t|hd=𝑥; tl=𝑝1|u

‹ 𝑝1 Mlist𝐿1

Exercise: define the identity representation predicate Id such that

𝑝 Mlistof Id𝐿 “ 𝑝 Mlist𝐿

Definition:𝑥 Id𝑋 ” r𝑥 “ 𝑋s

38 / 78

Summary

1. Higher-order predicate:

𝑝 Mlist𝐿 is generalized into 𝑝 Mlistof𝑅𝐿

2. Identity representation predicate:

𝑝 Mlistof Id𝐿 is the same as 𝑝 Mlist𝐿

39 / 78

Chapter 17

Higher-order representation predicates and the access problem

40 / 78

Specification of construction, for basic values

t𝑝1 Mlist𝐿u pcons𝑥 𝑝1q t𝜆𝑝. 𝑝 Mlist p𝑥 :: 𝐿qu

41 / 78

Specification of construction

t𝑥 𝑅𝑋 ‹ 𝑝1 Mlistof𝑅𝐿u pcons𝑥 𝑝1q t𝜆𝑝. 𝑝 Mlistof𝑅 p𝑋 :: 𝐿qu

42 / 78

Specification of deconstruction

t𝑝 Mlistof𝑅 p𝑋 :: 𝐿qu puncons 𝑝q

t𝜆p𝑥, 𝑝1q. 𝑥 𝑅𝑋 ‹ 𝑝1 Mlistof𝑅𝐿u

43 / 78

Specification of accesses: the problem

Incorrect specification for head:

t𝑝 Mlistof𝑅 p𝑋 :: 𝐿qu phead 𝑝q

t𝜆𝑥. 𝑥 𝑅𝑋 ‹ 𝑝 Mlistof𝑅 p𝑋 :: 𝐿qu

44 / 78

Specification of accesses: a partial solution

Correct yet limited specification:

t𝑝 Mlistof𝑅 p𝑋 :: 𝐿qu phead 𝑝q

t𝜆𝑥. 𝑥 𝑅𝑋 ‹ p𝑥 𝑅𝑋 ‹ 𝑝 Mlistof𝑅 p𝑋 :: 𝐿qqu

Magic wand rule:𝐻 ‹ p𝐻 ‹𝐻 1q “ 𝐻 1

45 / 78

Specification of accesses: a brute force solution

𝑝 Mlistof𝑅𝐿 “ DD𝐾. 𝑝 Mlist𝐾

‹Æ

𝑖 P r0, |𝐿|q p𝐾r𝑖sq 𝑅 p𝐿r𝑖sq

‹ r |𝐾| “ |𝐿| s

46 / 78

Specification of accesses: focus before read

𝑝 Mlistof𝑅 p𝑋 :: 𝐿q “ DD𝑥𝑝1. 𝑝 ÞÑ t|hd=𝑥; tl=𝑝1|u

‹ 𝑥 𝑅𝑋


Then read using:

t𝑝 ÞÑ t|hd=𝑥; tl=𝑝1|uu p𝑝.hdq t𝜆𝑦. r𝑦 “ 𝑥s ‹ 𝑝 ÞÑ t|hd=𝑥; tl=𝑝1|uu

47 / 78

Specification of queues of basic items

tr su pcreate()q t𝜆𝑝. 𝑝 Queue nilu

t𝑝 Queue𝐿u ppush x pq t𝜆 . 𝑝 Queue p𝐿&𝑥qu

t𝑝 Queue p𝑥 :: 𝐿qu ppop pq t𝜆𝑟. r𝑟 “ 𝑥s ‹ 𝑝 Queue𝐿u

t𝑝 Queue𝐿 ‹ 𝑝1 Queue𝐿1u pconcat p p’q t𝜆 . 𝑝 Queue p𝐿` 𝐿1qu

48 / 78

Ownership transfer with a queue of mutable items

Push:

Pop:

49 / 78

Specification of queues of mutable items

Exercise: specify functions over queues using a higher-orderrepresentation predicate written 𝑝 Queueof𝑅𝐿.Shorthand: just write “Q𝑅” instead of “Queueof𝑅”.

tr su pcreate()q t𝜆𝑝. 𝑝 Queueof𝑅 nilu

t𝑝 Queueof𝑅𝐿 ‹ 𝑥 𝑅𝑋u ppush𝑥 𝑝q t𝜆 . 𝑝 Queueof𝑅 p𝐿&𝑋qu

t𝑝 Queueof𝑅 p𝑋 :: 𝐿qu ppop 𝑝q t𝜆𝑥. 𝑝 Queueof𝑅𝐿 ‹ 𝑥 𝑅𝑋u

t𝑝 Queueof𝑅𝐿 ‹ 𝑝1 Queueof𝑅𝐿1u pconcat 𝑝 𝑝1q

t𝜆 . 𝑝 Queueof𝑅 p𝐿` 𝐿1qu

50 / 78

The copy problem

Incorrect specification for copy:

t𝑝 Queueof𝑅𝐿u

pcopy 𝑝q

t𝜆𝑝1. 𝑝 Queueof𝑅𝐿 ‹ 𝑝1 Queueof𝑅𝐿u

Exercise: specify a function copy 𝑓 𝑝 that duplicables a mutable queue,where 𝑓 is a function to duplicate items.

`

@𝑥𝑋. t𝑥 𝑅𝑋u p𝑓 𝑥q t𝜆𝑥1. 𝑥 𝑅𝑋 ‹ 𝑥1 𝑅𝑋u˘

ñ t𝑝 Queueof𝑅𝐿u

pcopy 𝑓 𝑝q

t𝜆𝑝1. 𝑝 Queueof𝑅𝐿 ‹ 𝑝1 Queueof𝑅𝐿u

51 / 78

Summary

Focus before read:

Ownership transfer:



52 / 78

Chapter 18

Higher-order representation predicates for records

53 / 78

Representation for records

𝑝 Mcellof𝑅1 𝑉1𝑅2 𝑉2 ” DD𝑣1𝑣2. 𝑝 ÞÑ t|hd=𝑣1; tl=𝑣2|u‹ 𝑣1 𝑅1 𝑉1

‹ 𝑣2 𝑅2 𝑉2

54 / 78

Focus/unfocus for accessing a record field

Focus on a field:

𝑝 Mcellof𝑅1 𝑉1𝑅2 𝑉2 “ DD𝑣1. 𝑝 Mcellof Id 𝑣1𝑅2 𝑉2 ‹ 𝑣1 𝑅1 𝑉1

Access to a focused field:

t𝑝 Mcellof Id 𝑣1𝑅2 𝑉2u p𝑝.hdq t𝜆𝑥. r𝑥 “ 𝑣1s ‹ 𝑝 Mcellof Id 𝑣1𝑅2 𝑉2u

t𝑝 Mcellof Id 𝑣1𝑅2 𝑉2u p𝑝.hd <-𝑤q t𝜆 . 𝑝 Mcellof Id𝑤𝑅2 𝑉2u

55 / 78

Representation predicate for lists, revisited


‹ 𝑥 𝑅𝑋‹ 𝑝1 Mlistof𝑅𝐿1


‹ 𝑣2 𝑅2 𝑉2

Exercise: rewrite the specification of Mlistof using Mcellof.

𝑝 Mlistof𝑅𝐿 ” match𝐿with| nil ñ r𝑝 “ nulls|𝑋 :: 𝐿1 ñ 𝑝 Mcellof𝑅𝑋 pMlistof𝑅q𝐿1

56 / 78

Focus on the head element, revisited

𝑝 Mlistof𝑅 p𝑋 :: 𝐿q “ DD𝑥. 𝑝 Mcellof Id𝑥 pMlistof𝑅q𝐿1

‹ 𝑥 𝑅𝑋

Then read using:

t𝑝 Mcellof Id𝑥𝑅2 𝑉2u p𝑝.hdq t𝜆𝑦. r𝑦 “ 𝑥s ‹ 𝑝 Mcellof Id𝑥𝑅2 𝑉2u

57 / 78

Specifications combining access and focus/unfocus

t𝑣1 𝑅1 𝑉1 ‹ 𝑣2 𝑅2 𝑉2u

pt|hd=𝑣1; tl=𝑣2|uq

t𝜆𝑝. 𝑝 Mcellof𝑅1 𝑉1𝑅2 𝑉2u

t𝑝 Mcellof𝑅1 𝑉1𝑅2 𝑉2u

p𝑝.hdq

t𝜆𝑣1. 𝑝 Mcellof Id 𝑣1𝑅2 𝑉2 ‹ 𝑣1 𝑅1 𝑉1u

t𝑝 Mcellof𝑅1 𝑉1𝑅2 𝑉2 ‹ 𝑤 𝑅11 𝑉

11u

p𝑝.hd <-𝑤q

t𝜆 . 𝑝 Mcellof𝑅11 𝑉

11 𝑅2 𝑉2 ‹ pDD𝑣1. 𝑣1 𝑅1 𝑉1qu

58 / 78

Summary



‹ 𝑣2 𝑅2 𝑉2

Equivalent to:



59 / 78

Chapter 19

Higher-order representation predicates for trees

60 / 78

Binary tree: representation

𝑝 Mtreeof𝑅𝑇 ” match𝑇 with| Leaf ñ r𝑝 “ nulls|Node𝑋 𝑇1 𝑇2 ñ DD𝑥𝑝1𝑝2.

𝑝 ÞÑ t|item=𝑥; left=𝑝1; right=𝑝2|u‹ 𝑥 𝑅𝑋‹ 𝑝1 Mtreeof𝑅𝑇1

‹ 𝑝2 Mtreeof𝑅𝑇2

61 / 78

Binary tree: representation, revisited

Representation predicate for tree cells:

𝑝 Nodeof𝑅1 𝑉1𝑅2 𝑉2𝑅3 𝑉3 ”

DD𝑣1𝑣2𝑣3. 𝑝 ÞÑ t|item=𝑣1; left=𝑣2; right=𝑣3|u‹ 𝑣1 𝑅1 𝑉1 ‹ 𝑣2 𝑅2 𝑉2 ‹ 𝑣3 𝑅3 𝑉3

𝑝 Mtreeof𝑅𝑇 ” match𝑇 with| Leaf ñ r𝑝 “ nulls|Node𝑋 𝑇1 𝑇2 ñ

𝑝 Nodeof𝑅𝑋 pMtreeof𝑅q𝑇1 pMtreeof𝑅q𝑇2

62 / 78

Binary search tree

𝑝 : tree 𝑎 (in Caml)

𝑅 : 𝐴Ñ 𝑎Ñ Hprop

𝑇 : tree𝐴

𝐸 : set𝐴

𝑝 Msearchtreeofă 𝑅𝐸 ” DD𝑇. 𝑝 Mtreeof𝑅𝑇 ‹ rsearchă 𝑇 𝐸s

searchă LeafH

search𝑇1𝐸1 search𝑇2𝐸2

@𝑦 P 𝐸1. 𝑦 ă 𝑥 @𝑦 P 𝐸2. 𝑥 ă 𝑦

searchă pNode𝑥𝑇1 𝑇2q pt𝑥u Y 𝐸1 Y 𝐸2q

63 / 78

Trees with list of subtrees: implementation

type ’a node = {

mutable item : ’a;

mutable children : (’a node) cell }

Inductive tree (A:Type) : Type :=| Leaf : tree A

| Node : A Ñ list (tree A) Ñ tree A.

64 / 78

Trees with list of subtrees: specification

𝑝 Narytreeof𝑅𝑇 ”

match𝑇 with| Leaf ñ r𝑝 “ nulls|Node𝑋 𝐿 ñ DD𝑥𝑐. 𝑝 ÞÑ t|item=𝑥; children=𝑐|u

‹ 𝑥 𝑅𝑋‹ 𝑐 Mlistof pNarytreeof𝑅q𝐿

65 / 78

Trees with list of subtrees: representation of nodes

𝑝 Nodeof𝑅1 𝑉1𝑅2 𝑉2 ”

DD𝑣1𝑣2. 𝑝 ÞÑ t|item=𝑣1; children=𝑣2|u

‹ 𝑣1 𝑅1 𝑉1

‹ 𝑣2 𝑅2 𝑉2


match𝑇 with| Leaf ñ r𝑝 “ nulls|Node𝑋 𝐿 ñ DD𝑥𝑐. 𝑝 ÞÑ t|item=𝑥; children=𝑐|u

‹ 𝑥 𝑅𝑋‹ 𝑐 Mlistof pNarytreeof𝑅q𝐿

66 / 78

Trees with list of subtrees, revisited

Exercise: rewrite the specification of Narytreeof using Nodeof.


match𝑇 with| Leaf ñ r𝑝 “ nulls|Node𝑋 𝐿 ñ 𝑝 Nodeof𝑅𝑋 pMlistof pNarytreeof𝑅qq𝐿

67 / 78

Bootstrapped chunked sequences

type ’a bag = {

mutable next : (’a chunk) bag;

mutable head : ’a chunk }

Inductive layer : Type Ñ Type :=| Empty : @A, layer A

| Layer : @A, multiset A Ñ

layer (multiset A) Ñ layer A

Exercise: complete the specification of Bagof using Nodeof.Hint: chunks are described by the predicate 𝑝1 Chunkof𝑅𝐸1.

𝑝 Bagof𝑅𝑇 ”

match𝑇 with|Empty ñ r𝑝 “ nulls| Layer𝐸1 𝑇 1 ñ 𝑝 Nodeof pBagof pChunkof𝑅qq𝑇 1 pChunkof𝑅q𝐸1

68 / 78

Bootstrapped chunked sequences, continued

The heap predicate “𝑝 Multiset𝐸” asserts that, at memorylocation 𝑝, we find a bag that represents the multiset 𝐸 of basic items.

𝑝 Multiset𝐸 ” DD𝑇. 𝑝 Bagof Id𝑇 ‹ rLayersItems𝑇 𝐸s

The predicate “LayersItems𝑇 𝐸” asserts that 𝐸 is the multiset made ofall the items stored recursively in the layer tree 𝑇 .

LayersItems EmptyH

LayersItems𝑇 1 𝐺

LayersItems pLayer𝐸1 𝑇 1q p𝐸1 Z flatten𝐺q

The operator “flatten” takes as argument a multiset of multisets ofitems, and returns a multiset containing all the items.

69 / 78

Summary



70 / 78

Summary of Course 3

71 / 78

Chapter 14: summary

A higher-order functions that expects a function 𝑓 as argument isspecified using a family of hypotheses describing applications of 𝑓 toparticular arguments.

@𝑓𝐼𝑛. p@𝑖 P r0, 𝑛q. t𝐼 𝑖u p𝑓 pqq t𝜆 . 𝐼 p𝑖` 1quq

ñ t𝐼 0u prepeat𝑛 𝑓q t𝐼 𝑛u

72 / 78

Chapter 15: summary

Simplified specification:

`



Order-irrelevant specification:

`



Most-general specification:

`



73 / 78

Chapter 16: summary

`



`


ñ t𝐽 𝑎 nilu pfold 𝑓 𝑎 𝑙q t𝜆𝑏. 𝐽 𝑏 𝑙u

`

@𝑥𝑘𝑘1. t𝐽 𝑘 𝑘1u p𝑓 𝑥q t𝜆𝑥1. 𝐽 p𝑘&𝑥q p𝑘1&𝑥1qu˘

ñ t𝐽 nil nilu pmap 𝑓 𝑙q t𝜆𝑙1. 𝐽 𝑙 𝑙1u

§ Add the hypothesis 𝑙 “ 𝑘` 𝑥 :: 𝑠 if the position of 𝑥 matters.

§ Boolean predicates: @𝑥. tr su p𝑓 𝑥q t𝜆𝑏. r𝑏 “ true ô 𝑃 𝑥su.

§ Order functions: @𝑥𝑦. tr su p𝑓 𝑥 𝑦q t𝜆𝑛. r𝑛 ď 0ô 𝑥 ĺ 𝑦su.

74 / 78

Chapter 17: summary

Focus before read:

Ownership transfer:



75 / 78

Chapter 18: summary



‹ 𝑣2 𝑅2 𝑉2

Equivalent to:



76 / 78

Chapter 19: summary



77 / 78

Exercises

§ Exam from 2015, Exercise 2: More on bootstrapped chunked bags.

Available from the webpage of the course.

78 / 78

separation logic 3/4marche/mpri-2-36-1/2016/seplogic3_print4.pdf · separation logic 3/4 arthur...

Documents