UNIFIED FINE-GRAINED REGION LOGIC

This chapter generalizes FRL to UFRL. It defines the correctness judgment in UFRL, and presents the proof axioms and rules for statements and structural rules.

Unified Fine-Grained Region Logic (UFRL) was created to enable using FRL and SL together. UFRL has explicit read and write effects. It is a generalization of FRL; thus UFRL’s assertion and programming languages (Chapter 2 and Chapter 3) are the same as those in FRL.

However, Hoare-formulas in UFRL are different. The correctness judgment in UFRL has the form rδstP1uStP2urεs, where δ are read effects (on the heap) and ε are write effects; thus pε, δq contains

all the heap locations that S may access. Note that δ and ε may have locations in common.

Validity of UFRL Hoare-formulas uses the same notion of partial correctness as in FRL: statements must not encounter an error when started in a pre-state satisfying the specified precondition, but may still loop forever.

Definition 8 (Validity of UFRL Hoare-formula). Let Γ be a well-formed type environment. Let S be a statement. LetP1 andP2 be assertions. Letε be effects and δ be read effects, let pσ, Hq be a

Γ-state. Then rδstP1uStP2urεs is valid in pσ, Hq, written σ, H (Γu rδstP1uStP2urεs, if and only if

wheneverσ, H (Γ _P

1, then:

1. MSrrΓ $ S : okpΓ1

qsspσ, HæE rrΓ $ regRWpε, δq : regionsspσqq ‰ err, and

2. if pσ1_{, H}1

q “ MSrrΓ $ S : okpΓ1qsspσ, HæE rrΓ $ regRWpε, δq : regionsspσqq, then the fol-

lowing all hold:

• σ1_{, H}1 ₍Γ1 P2,

• for all x P dompσq : σ1_{pxq ‰ σpxq : modifies x P ε,}

• for all po, f q P dompHq : H1

ro, f s ‰ Hro, f s :

po, f q P E rrΓ $ writeRpεq : regionsspσq, and

• for all po, f q P ErrΓ1

$ freshRpεq : regionsspσ1q:: po, f q P pdompH1q ´ dompHqq.

A UFRL Hoare-formula rδstP1uStP2urεs is valid, written (Γu rδstP1uStP2urεs, if and only if for

all states pσ, Hq :: σ, H (Γ_u rδstP1uStP2urεs.

The above definition limits the heap that a statement can access. Consider the following formula

rreads regiontx.f ustx ‰ nulluy :“ x.f ; ty “ x.f ur modifies ys. (5.1)

Eq. (5.1) is a valid UFRL Hoare-formula, because regRWpreads regiontx.f u, modifies yq “ regiontx.f u. The region regiontx.f u is the least set of locations that the statement needs to make sure that its execution does not cause an error. On the contrary, the formula rHstx ‰ nulluy :“ x.f ; ty “ x.f urmodifies ys is not a valid UFRL Hoare-formula, as regRWpreads H, modifies yq “ regiontu. As another example, consider the following formula:

rHstx ‰ nullux.f :“ y; tx.f “ yur modifies regiontx.f us. (5.2)

Eq. (5.2) is a valid UFRL Hoare-formula, because regRWpH, modifies regiontx.f uq “ regiontx.f u.

For the purpose of framing, which is the focus of this work, there is no need to track read effects, although the above definition does limit to the heap which the statement can access to. However, read effects (on the heap) are needed for future work; e.g., for framing of specifications with pure method calls [3].

5.1 Axioms and Inference Rules

This section shows the axioms and proof rules for proving statements correct in UFRL. Fig. 5.1 shows the axioms and proof rules. Fig. 5.2 and Fig. 5.3 show the structural rules. These are based on FRL, but with read effects (δ and η) specified.

The axioms for variable declaration, variable assignment, field access, field update and allocation are “small” [71] in the sense that the union of write effects and read effects describe the least upper bound of variables and locations that S accesses, and the write effects describe the least upper bound of the set of variables and locations that S may modify. The proof system does not split the store, as variables are discarded by regRW (Def. 8).

The structural rules are shown in Fig. 5.2 and Fig. 5.3. The rule FRMu follows the FRMr rule.

The rule SubEffu allows approximations of effects; it can be used to match up the effects for the

rule IFu, where different branches may have different effects. The rule SubEffu also allows a

correctness proof to switch from a smaller to a larger heap. The rule CONSEQu is the standard

consequence rule. The rule FrToPostu and PostToFru are dual; the first allows one to add fresh

effects and the second allows one to eliminate fresh effects. To make the PostToFrurule clear, the

following from the rule FrToPostuis derived.

$Γu rδstP u S tP1urε, freshpREqs

$Γu rδstP u S tP1 && r !! REurεs

where P ñ r “ alloc

This uses the subeffect rule, because regRWpδ, freshpREq, εq ď regRWpδ, εq, and regRW ignores fresh effects.

(SKIPu)

$Γu rHsttrueuskip; ttrueurHs

(VARu)

$Γ_u rHsttrueuvar x : T ; tx “ defaultpT qurHs

(ALLOCu)

$Γu

rHs

ttrueu x :“ new T ; tnewpT , xqu

r modifies x, modifies alloc, freshpregiontx.˚uqs

(ASGNu)

$Γu rηsttrueu x :“ G; tx “ Gu r modifies xs where x R FVpGq and η “ efspGq

(UPDu)

$Γ_u rx, ηs tx ‰ nullu x.f :“ G; tx.f “ Gur modifies regiontx.f uswhere η “ efspGq

(ACCu)

$Γu rηstx 1

‰ nullu x :“ x1.f ; tx “ x1.f u r modifies xs , where x ‰ x1 and η “ efspx1.f q

(IFu)

$Γu rδstP && Eu S1tQu rεs $Γu rδstP && Eu S2tQu rεs

$Γu rδ, δEstP u if E tS1uelsetS2utQu rεs where δE “ efspEq

(SEQ1u)

$Γu rδ1stP u S1tP1urε1, freshpREqs

$Γu1 rδ2, reads RE1stP1u S2tP1ur ε2, modifies RE2s

$Γu rδ1, δ2stP u S1S2tP1urε1, ε2, freshpREqs

where S1 ‰ var x : T ; , ε1is fresh-free, δ2 is P {ε1-immune, ε2is P {ε1-immune,

REis P1{pmodifies RE2, ε2q-immune, RE1 ď RE and RE2 ď RE

(SEQ2u)

$Γ, x:Tu rδ, reads xstP && x “ defaultpT qu S tQur modifies x, εs

$Γu rδstP u var x : T ; S tQurεs

(WHILEu)

$Γu rδstP && Eu StP u rε, modifies REs

$Γu rδ, δEstP && r “ allocu while E tSu tP && Eu rεs

where δE “ efspEq, P ñ RE !! r, ε is fresh-free, modifies r R ε, δ is P {ε-immune and

ε is P {ε-immune

(FRMu)

$Γu rδstP u S tP 1

urεs P $Γ η frm Q

$Γu rδstP && Qu S tP1&& Qurεs where P && Q ñ η¨{¨ε

(SubEffu)

$Γu rδstP1uStP2urεs $P1 ε ď ε

1

$Γu rδ1stP1uStP2urε1s where P1 ñ regRWpε, δq ď regRWpε1, δ1q

(CONSEQu)

$Γ_u rδstP1u S tP11urεs

$Γ_u rδstP2u StP21urεs where P2 ñ P1and P11 ñ P21

(ConEffu)

$Γ_u rδstP && Eu S tP1urε1s $Γu rδstP && Eu S tP 1 urε2s $Γ_u rδstP u S tP1urE ? ε1 : ε2s (ConMask1u) $Γu rδstP u S tP1urε, E ? ε1 : ε2s $Γu rδstP u S tP1urε, ε1s where P ñ E (ConMask2u) $Γ_u rδstP u S tP1urε, E ? ε1 : ε2s $Γu rδstP u S tP 1 urε, ε2s where P ñ E (PostToFru) $Γu rδstP u S tP 1 urεs

$Γu rδstP u S tP1urε, E ? freshpRE1q : freshpRE2qs

where P ñ pE && RE1 !! allocq and P ñ p E ^ RE2 !! allocq

(FrToPostu)

$Γu rδstP u S tP1urε, E ? freshpRE1q : freshpRE2qs

$Γu

rδs

tP u S tP1 && pb ñ RE1 !!rq && p b ñ RE2 !!rqu

rε, E ? freshpRE1q : freshpRE2qs

where P ñ b “ E, P ñ r “ alloc, P ñ E, modifies b R ε and modifies r R ε

(VarMask1u)

$Γu rδstP u S tP1ur E ? pmodifies x, ε1q : ε2s

$Γ_u rδstP u S tP1ur E ? ε1 : ε2s

where P ñ E, P || P1

ñ x “ y and P && E ñ reads y¨_{{¨px, εq,}

(VarMask2u)

$Γ_u rδstP u S tP1ur E ? ε1 : pmodifies x, ε2qs

$Γ_u rδstP u S tP1ur E ? ε1 : ε2s

where P ñ E, P || P1 _{ñ x “ y and P && E ñ reads y}¨_{{¨px, εq}

(FieldMask1u)

$Γu rδstP u S tP 1

urε, E ? pmodifies regiontx.f u, ε1q : ε2s

$Γu rδstP u S tP 1

urε, E ? ε1 : ε2s

where P ñ E, P || P1 _{ñ x.f “ y, P}1 _{&& E ñ reads x}¨_{{¨modifiesε}

and P1_{&& E ñ reads y}¨_{{¨modifiesε}

(FieldMask2u)

$Γ_u rδstP u S tP1urε, E ? ε1 : pmodifies regiontx.f u, ε2qs

$Γu rδstP u S tP 1

urε, E ? ε1 : ε2s

where P ñ E, P || P1 _{ñ x.f “ y, P}1 _{&& E ñ reads x}¨_{{¨modifiesε}

and P1_{&& E ñ reads y}¨_{{¨modifiesε}

Figure 5.3: The structural rules in UFRL (2)

5.1.1 The Sequence Rules

The complication arising from read effects is discussed. Consider the case where S1 allocates

some new objects, which are read by S2. This is the case where the freshly allocated region RE is

not empty. Then the read effects of S1S2 can drop RE from the read effects of S2. For example,

reference type T for simplicity. Using the rules ALLOCu and ACCu, the following must be true:

$Γu

rHs

ttrueux :“ new T ; tnewpT , xqu

r modifies x, modifies alloc, freshpregiontx.˚uqs

(5.3)

$Γu rreads x, regiontx.f ustx ‰ nulluy :“ x.f ; ty “ x.f ur modifies ys (5.4)

Then, after using the SubEffu rule to loosen the read effect of Eq. (5.4), the following is derived:

$Γu rreads x, regiontx.˚ustx ‰ nulluy :“ x.f ; ty “ x.f ur modifies ys (5.5)

Then, after using the CONSEQurule on Eq. (5.3), the following is derived:

$Γ_u rHs

ttrueux :“ new T ; tx ‰ nullu

r modifies x, modifies alloc, freshpregiontx.˚uqs

(5.6)

In order to use the SEQ1urule on Eq. (5.6) and Eq. (5.5), it is instantiated with RE :“ regiontx.˚u,

RE₁ :“ regiontx.˚u, RE2 :“ regiontu, ε1 :“ modifies x, modifies alloc and ε2 :“

modifiesy. Then, the proof obligation is to check the immune side conditions, which are:

reads_{x is true{pmodifies x, modifies allocq-immune} (5.7)

and

modifiesy is true{pmodifies x, modifies allocq-immune (5.8) By the definition of immune (Def. 6 on page 33), to prove Eq. (5.7) and Eq. (5.8) is to show

for all reads RE P preads xq :: RE is

and

for all modifies RE P pmodifies yq :: RE is

true{pmodifies x, modifies allocq-immune (5.10) Eq. (5.9) and Eq. (5.10) are vacuously true. Now, using the rule SEQ1u, the following is derived

$Γ_u

rreads xs

ttrueux := new T; y := x.f;ty “ x.f u

r modifies x, modifies alloc, modifies y, freshpregiontx.˚uqu

In this case, the regiontx.˚u of the read effect in the second statement is dropped in that of the sequence statement, as the fresh effects of the first statement become the fresh effect of the sequence.

5.2 Soundness

Theorem 2. The judgment $Γ

u rδstP uStQurεs that is derivable by the axioms and inference rules

in Fig. 5.1, and the structural rules in Fig. 5.2 and Fig. 5.3 is valid.

Proof. Using the result of Theorem 1 on page 49, the proof only needs to check the read effects. Let S be a statement and pσ, hq be Γ-state. Assume $Γr tP u S tQurεs and σ, h (Γ P . Then it

needs to be true that MSrrΓ $ S : okpΓ1_{qsspσ, hæE rrΓ $ regRWpε, δq : regionsspσqq ‰ err.}

1. (SKIPu) In this case, S is skip;, P is true, and δ and ε are both H. As it is known that

hæErrΓ $ regRWpε, δq : regionsspσq “ H, by the program semantics Fig. 2.4, it must be true that MSrrΓ $ skip; : okpΓqsspσ, Hq ‰ err.

2. (VARu) In this case, S is var x : T ;, P is true, and δ and ε are both H. As it is known that

hæErrΓ $ regRWpε, δq : regionsspσq “ H, by the program semantics Fig. 2.4, it must be true that MSrrΓ $ var x : T ; : okpΓ, x : T qsspσ, Hq ‰ err.

3. (ALLOCu) In this case, S is x :“ new T ;, P is true and ε and δ are both H. As it is known

that hæErrΓ $ regRWpε, δq : regionsspσq “ H, by the program semantics Fig. 2.4, it must be true that MSrrΓ $ x :“ new T ; : okpΓqsspσ, Hq ‰ err.

4. (ASSGNu) In this case, S is x :“ G;, P is x “ x1and δ is efspGq and ε is modifiesx, where

x R FVpGq. Since it is known that hæErrΓ $ regRWpε, δq : regionsspσq “ H, by the pro- gram semantics Fig. 2.4 on page 23, it must be true that MSrrΓ $ x :“ G; : okpΓqsspσ, Hq ‰ err.

5. (UPDu) In this case, S is x.f :“ G;, P is x ‰ null, δ is preads x, efspGqq and ε is

modifies regiontx.f u. By the precondition, it is known that σpxq ‰ null. Since it is known that E rrΓ $ regRWpε, δq : regionsspσq “ tpσpxq, f qu, by the program semantics Fig. 2.4, it must be true that MSrrΓ $ x.f :“ G; : okpΓqsspσ, hætpσpxq, f quq ‰ err.

6. (ACCu) In this case, S is x :“ x1.f ;, P is x1 ‰ null, δ is (reads x1, regiontx1.f u)

and ε is modifies x, where x ‰ x1_{. The precondition implies that σpx}1_{q ‰ null. As}

ErrΓ $ regRWpε, δq : regionsspσq “ tpσpx1

q, f qu, by the program semantics shown in

Fig. 2.4, it must be true that MSrrΓ $ x :“ x1_{.f ; : okpΓqsspσ, hætpσpx}1

q, f quq ‰ err.

In document Reasoning About Frame Properties in Object-oriented Programs (Page 65-74)