Semantics of Imperative Objects

Transcription

1 Semantics of Imperative Objects Catalin Hritcu Supervisor: Jan Schwinghammer Responsible: Prof. Gert Smolka Programming Systems Lab Saarland University, Saarbrücken November

2 Overview Imperative Object Calculus Operational Semantics Syntactic Types Axiomatic Semantics Denotational Semantics Step-indexed Semantics Possible Extensions 2

3 Object Calculi Object-oriented programming languages Idealized models Rigorously defined semantics Simple - only one primitive: objects Expressive can encode: classes and inheritance but also functions (the lambda calculus) 3

4 Object Calculi Object-based (not class-based) In practice: JavaScript, Self, etc. Strongly-typed A Theory of Objects [Abadi & Cardelli 96] We study the imperative object calculus [Abadi & Leino, 04] 4

5 Imperative Object Calculus Syntax a, b ::= x variable let x = a in b variable binding [f i = x i, m j = ς(y j )b j ] i I,j J object construction clone x object cloning x.f field selection x.f := y field update x.m method call true false booleans if x then a else b conditional 0 succ x pred x numbers More syntactic sugar used in examples 5

6 Example Programs Factorial [fac = ς(y)λn.if n = 0 then 1 else n y.fac(n 1)] Euclid s gcd algorithm [gcd = ς(y)λx.λz.if x < z then y.gcd x (z x) else if z < x then y.gcd (x z) z else x] 6

7 Operational Semantics Abstract machine Small-step: evaluation = Reduction Relation: Config Config Configurations: σ, a Config = Store LProg (Red-Let1) (Red-Let2) σ, a σ, a σ, let x = a in b σ, let x = a in b σ, let x = v in b σ, b[x v] (Red-If-True) σ, if true then a else b σ, a (Red-If-False) σ, if false then a else b σ, b 7

8 Operational Semantics (Rel-Obj) (Red-Clone) (Rel-Sel) (Red-Inv) (Red-Upd) l dom σ o = [f i = v i, m j = ς(y j )b j ] i I,j J σ, [f i = v i, m j = ς(y j )b j ] i I,j J σ[l o], l l dom σ σ l = o σ, clone l σ[l o], l σ l f = v σ, l.f σ, v σ l m = ς(y)b σ, l.m σ, b[y l] σ l f σ = σ[l (σ l)[f v]] σ, l.f := v σ, l 8

9 Example Reduction, let y = [m = ς(x)x.m] in y.m l = [m = ς(x)x.m], let y = l in y.m l = [m = ς(x)x.m], l.m l = [m = ς(x)x.m], l.m... Nonterminating evaluation 9

10 Types of Objects Simple types: T ::= Bool Nat [f i : T i, m j : S j ] i I,j J Typing relation: (Γ a : T ) : (Var fin Ty) Prog Ty Types are purely syntactical Subtyping (fields invariant, methods covariant) Bool Bool Nat Nat j J : S j R j I I J J [f i : T i, m j : S j ] i I,j J [f i : T i, m j : R j ] i I,j J 10

11 Typing Rules (T-Sub) T T Γ a : T Γ a : T (T-True) Γ true : Bool (T-Var) Γ x = T Γ x : T (T-False) Γ false : Bool (T-If) Γ x : Bool Γ a : T Γ b : T Γ if x then a else b : T (T-Let) Γ a : S Γ, x : S b : T Γ let x = a in b : T 11

12 Typing Rules (T-Obj) Γ x i : T i Γ, y j : T b j : S j Γ [f i = x i, m j = ς(y j )b j ] i I,j J : T where T = [f i : T i, m j : S j ] i I,j J (T-Clone) Γ x : T T = [f i : T i, m j : S j ] i I,j J Γ clone x : T (T-Upd) Γ x : [f : T ] Γ x.f := y : [] Γ y : T (T-Sel) Γ x : [f : T ] Γ x.f : T (T-Inv) Γ x : [m : T ] Γ x.m : T 12

13 Program logic Deduction system for program correctness E.g. Hoare logic [Floyd, 67] [Hoare, 69] {p b}s 1 {q} {p b}s 2 {q} {p}if b then S 1 else S 2 {q} Widely used in program verification (E.g. Verisoft) 13

14 The Logic of Objects [Abadi & Leino, 97] [Abadi & Leino, 04] Specifications generalize types A refinement of the type system (undecidable) Attempt to mechanize [Hofmann & Tang, 02] Γ a : T E a : A :: ϕ φ is a first-order logic formula (pre + post) Sub-specification generalizes subtyping Subsumption corresponds to weakening 14

15 The Logic of Objects (S-Obj) E x i : A i :: Res(x i ) E, y j : A b j : B j :: ϕ j E [f i = x i, m j = ς(y j )b j ] i I,j J : A :: ϕ where A = [f i : A i, m j : ς(y i )B j :: ϕ j ] i I,j J and ϕ = alloc(r) ` alloc(r) i I σ(r, f i) = x i ( z. z r ( alloc(z) ` alloc(z) w. `σ(z, w) σ(z, w))) and Res(e) r = e ( x. w. alloc(x) ` alloc(x) Specifications not tight (as in separation logic) `σ(x, w) = σ(x, w)) Soundness hard to prove [Reus & Schwinghammer, 06] 15

16 Higher-order Store Executable code can be stored General references in ML Pointers to functions in C Callbacks in Java Recursion by tying a knot in the store Example (factorial through a field) let x = [f = ς(y)λn.n] in let z = [f = x, fac = ς(y)λn.if n = 0 then 1 z.f := z else n y.f.fac(n 1)] in 16

17 Higher-order Store Imperative object calculus Operational Semantics Dynamically allocated, higher-order store Challenge: finding good semantic models Reasoning about the behavior of programs Program correctness (using a program logic) Useful for proving safety(progress&preservation) Not suitable as the basis for a program logic [Benton, 05] [Reus & Schwinghammer, 06] 17

18 Denotational Semantics The meaning of a program is a mathematical object E.g. denotation of a lambda abstraction = function Higher-order store Solving recursive domain equations Dynamic Allocation Possible-world model = category of functors over CPOs Domain theory, category theory, order theory More abstract - reasoning about program behavior 18

19 Denotational Semantics For the imperative object calculus Complex [Reus & Schwinghammer, 06] Separates logical validity from derivability Specification = predicate on programs Current models are still not abstract enough Many natural equivalences do not hold 19

20 Step-indexed Semantics Foundational proof-carrying code by Appel et al. Simpler machine-checkable proofs Type soundness For (very) low-level languages Lambda calculus Recursive types [Appel & McAllester, 01] General references and polymorphism [Ahmed et al., 03] 20

21 Step-indexed Semantics Based on a small-step operational semantics Type = set of indexed values e : k T if e behaves like an element of T for k steps Semantic approach to typing Types are predicates Type constructors functions Simpler than a cpo-based denotational semantics Used as a model for a program logic [Benton 05] 21

22 What We Are Working On Main goal Develop a step-indexed semantics for the imperative object calculus with simple object types Proving soundness of the typing rules Extensions Enriching the type system with: Subtyping Recursive object types [Reus & Streicher, 02] [Schwinghammer, 06] Impredicative polymorphism 22

23 More Possible Extensions Defining a program logic extending types Construct a sound deduction system FOL assertions about the store [Benton, 05] [Abadi & Leino, 04] [Podelski & Schaefer 05] Dependent types+shallow embedding to HOL - e.g. Hoare Type Theory [Nanevski et al., 06] Local and modular reasoning Separation Logic [Reynolds, 02] ADTs - Idealized ML [Krishnaswami et al., 06] 23

24 Thank you! 24

25 References [1] Martín Abadi and Luca Cardelli. A Theory of Objects. Springer, [2] Martín Abadi and K. Rustan M. Leino. A logic of object-oriented programs. In Michel Bidoit and Max Dauchet, editors, Proceedings of Theory and Practice of Software Development, volume 1214 of Lecture Notes in Computer Science, pages Springer, [3] Martín Abadi and K. Rustan M. Leino. A logic of object-oriented programs. In Nachum Dershowitz, editor, Verification: Theory and Practice. Essays Dedicated to Zohar Manna on the Occasion of his 64th Birthday, Lecture Notes in Computer Science, pages Springer, [4] Amal J. Ahmed, Andrew W. Appel, and Roberto Virga. An indexed model of impredicative polymorphism and mutable references. Princeton University, January [5] Amal J. Ahmed, Matthew Fluet, and Greg Morrisett. A step-indexed model of substructural state. In Olivier Danvy and Benjamin C. Pierce, editors, International Conference on Functional Programming (ICFP 05), pages ACM Press, [6] Andrew W. Appel and David McAllester. An indexed model of recursive types for foundational proof-carrying code. ACM Transactions on Programming Languages and Systems, 23(5): , September [7] Nick Benton. A typed, compositional logic for a stack-based abstract machine. In Zoltan Esik, editor, Asian Symposium on Programming Languages and Systems APLAS 05, volume 3780 of Lecture Notes in Computer Science, pages Springer, [8] Nick Benton. Abstracting allocation: the new new thing. In Computer Science Logic, volume 4207 of Lecture Notes in Computer Science, pages Springer, [9] Robert W. Floyd. Assigning meanings to programs. In Jacob T. Schwartz, editor, Proceedings of Mathematical Aspects of Computer Science, volume 19 of Proceedings of Symposia in Applied Mathematics, pages American Mathematical Society, April

26 References [10] C. A. R. Hoare. An Axiomatic Basis of Computer Programming. Communications of the ACM, 12: , [11] Neelakantan R. Krishnaswami, Lars Birkedal, Jonathan Aldrich, and John C. Reynolds. Idealized ML and its separation logic. Submitted, [12] Aleksandar Nanevski, Amal Ahmed, Greg Morrisett, and Lars Birkedal. Abstract predicates and mutable adts in hoare type theory. Technical Report TR-14-06, Harvard University, [13] Andreas Podelski and Ina Schaefer. Local reasoning for termination. In Workshop on Verification of Concurrent Systems with Dynamic Allocated Heap (COSMICAH05), Lisabon, July [14] Bernhard Reus and Jan Schwinghammer. Denotational semantics for a program logic of objects. Mathematical Structures in Computer Science, 16(2): , April [15] Bernhard Reus and Thomas Streicher. Semantics and logic of object calculi. In Proceedings of 17th Annual IEEE Symposium Logic in Computer Science, pages IEEE Computer Society Press, [16] John C. Reynolds. Separation logic: A logic for shared mutable data structures. In Proceedings of the 17th IEEE Symposium on Logic in Computer Science, pages IEEE Computer Society, [17] Jan Schwinghammer. Reasoning about Denotations of Recursive Objects. PhD thesis, Department of Informatics, University of Sussex, [18] Francis Tang and Martin Hofmann. Generation of verification conditions for Abadi and Leino s logic of objects. Presented at 9th International Workshop on Foundations of Object-Oriented Languages, January