Semantics of Imperative Objects

Catalin Hritcu

Supervisor: Jan SchwinghammerResponsible: Prof. Gert Smolka

Programming Systems LabSaarland University, Saarbrücken

November 20061

Overview

• Imperative Object Calculus

• Operational Semantics

• “Syntactic” Types

• Axiomatic Semantics

• Denotational Semantics

• Step-indexed Semantics

• Possible Extensions

2

Object Calculi

• Object-oriented programming languages

• Idealized models

• Rigorously defined semantics

• Simple - only one primitive: objects

• Expressive

• can encode: classes and inheritance

• but also functions (the lambda calculus)

3

Object Calculi

• Object-based (not class-based)

• In practice: JavaScript, Self, etc.

• Strongly-typed

• A Theory of Objects [Abadi & Cardelli ‘96]

• We study the imperative object calculus[Abadi & Leino, ‘04]

4

Imperative Object Calculus• Syntax

• More syntactic sugar used in examples

a, b ::= x variable| let x = a in b variable binding| [fi = xi,mj = !(yj)bj ]i!I,j!J object construction| clone x object cloning| x.f field selection| x.f := y field update| x.m method call| true | false booleans| if x then a else b conditional| 0 | succ x | pred x numbers

5

Example Programs

• Factorial

[fac = !(y)"n.if n = 0 then 1 else n! y.fac(n" 1)]

• Euclid’s gcd algorithm

[gcd = !(y)"x."z.if x < z then y.gcd x (z ! x)else if z < x then y.gcd (x! z) z else x]

6

Operational Semantics• Abstract machine

• Small-step: evaluation =

• Reduction Relation:

• Configurations: !!, a" # Config = Store$ LProg

! " Config# Config

!!

(Red-Let1)!!, a" # !!!, a!"

!!, let x = a in b" # !!!, let x = a! in b"

(Red-Let2) !!, let x = v in b" # !!, b[x $# v]"

(Red-If-True) !!, if true then a else b" # !!, a"

(Red-If-False) !!, if false then a else b" # !!, b"

7

Operational Semantics

(Rel-Obj)l !" dom ! o = [fi = vi,mj = "(yj)bj ]i!I,j!J

#!, [fi = vi,mj = "(yj)bj ]i!I,j!J$ % #![l &% o], l$

(Red-Clone)l" !" dom ! ! l = o

#!, clone l$ % #![l" &% o], l"$

(Rel-Sel)! l f = v

#!, l.f$ % #!, v$

(Red-Inv)! l m = "(y)b

#!, l.m$ % #!, b[y &% l]$

(Red-Upd)! l f ' !" = ![l &% (! l)[f &% v]]

#!, l.f := v$ % #!", l$

8

Example Reduction

Nonterminating evaluation

!", let y = [m = !(x)x.m] in y.m# $!l = [m = !(x)x.m], let y = l in y.m# $!l = [m = !(x)x.m], l.m# $!l = [m = !(x)x.m], l.m# $ . . .

9

Types of Objects

• Simple types:

• Typing relation:

• Types are “purely syntactical”

• Subtyping (fields invariant, methods covariant)

T ::= Bool | Nat | [fi : Ti,mj : Sj ]i!I,j!J

(! ! a : T ) : (Var !fin Ty)" Prog" Ty

Bool ! Bool

Nat ! Nat

"j # J ! : Sj ! Rj I ! $ I J ! $ J

[fi : Ti,mj : Sj ]i"I,j"J ! [fi : Ti,mj : Rj ]i"I!,j"J!

10

Typing Rules

(T-Sub)T ! T ! ! " a : T

! " a : T ! (T-Var)! x = T

! " x : T

(T-True) ! " true : Bool (T-False) ! " false : Bool

(T-If)! ! x : Bool ! ! a : T ! ! b : T

! ! if x then a else b : T

(T-Let)! ! a : S !, x : S ! b : T

! ! let x = a in b : T

11

Typing Rules

(T-Obj)! ! xi : Ti !, yj : T ! bj : Sj

! ! [fi = xi,mj = !(yj)bj ]i!I,j!J : T

where T = [fi : Ti,mj : Sj ]i!I,j!J

(T-Clone)! ! x : T T = [fi : Ti,mj : Sj ]i!I,j!J

! ! clone x : T

(T-Upd)! ! x : [f : T ] ! ! y : T

! ! x.f := y : []

(T-Sel)! ! x : [f : T ]! ! x.f : T

(T-Inv)! ! x : [m : T ]! ! x.m : T

12

Program logic

• Deduction system for program correctness

• E.g. Hoare logic [Floyd, ‘67] [Hoare, ‘69]

• Widely used in program verification (E.g. Verisoft)

! {p " b}S1{q} ! {p " ¬b}S2{q}! {p}if b then S1 else S2{q}

13

The Logic of Objects

• [Abadi & Leino, ‘97] [Abadi & Leino, ‘04]

• A refinement of the type system (undecidable)

• Attempt to mechanize [Hofmann & Tang, ‘02]

• Specifications generalize types

• φ is a first-order logic formula (pre + post)

• Sub-specification generalizes subtyping

• Subsumption corresponds to weakening

! ! a : T ! E " a : A :: !

14

The Logic of Objects

• Specifications not tight (as in separation logic)

• Soundness hard to prove [Reus & Schwinghammer, ‘06]

(S-Obj)E ! xi : Ai :: Res(xi) E, yj : A ! bj : Bj :: !j

E ! [fi = xi,mj = "(yj)bj ]i!I,j!J : A :: !

where A = [fi : Ai,mj : "(yi)Bj :: !j ]i!I,j!J

and ! = ¬ `alloc(r) ! ´alloc(r) !!

i!I #́(r, fi) = xi

! ("z. z #= r $ ( `alloc(z) % ´alloc(z)! "w. #̀(z, w) % #́(z, w)))

and Res(e) " r = e ! ("x. "w. `alloc(x) % ´alloc(x)! #̀(x,w) = #́(x,w))

15

Higher-order Store

• Executable code can be stored

• General references in ML

• Pointers to functions in C

• Callbacks in Java

• Recursion by “tying a knot in the store”

• Example (factorial through a field)

let x = [f = !(y)"n.n] inlet z = [f = x, fac = !(y)"n.if n = 0 then 1

else n! y.f.fac(n" 1)] inz.f := z

16

Higher-order Store

• Imperative object calculus

• Dynamically allocated, higher-order store

• Challenge: finding good semantic models

• Reasoning about the behavior of programs

• Program correctness (using a program logic)

• Operational Semantics

• Useful for proving safety(progress&preservation)

• Not suitable as the basis for a program logic[Benton, ‘05] [Reus & Schwinghammer, ‘06]

17

Denotational Semantics

• The meaning of a program is a mathematical object

• E.g. denotation of a lambda abstraction = function

• Higher-order store

• Solving recursive domain equations

• Dynamic Allocation

• Possible-world model =category of functors over CPOs

• Domain theory, category theory, order theory

• More abstract - reasoning about program behavior

18

Denotational Semantics

• For the imperative object calculus

• Complex [Reus & Schwinghammer, ‘06]

• Separates logical validity from derivability

• Specification = predicate on programs

• Current models are still not abstract enough

• Many natural equivalences do not hold

19

Step-indexed Semantics

• Foundational proof-carrying code by Appel et al.

• Simpler machine-checkable proofs

• Type soundness

• For (very) low-level languages

• Lambda calculus

• Recursive types [Appel & McAllester, ‘01]

• General references and polymorphism[Ahmed et al., ‘03]

20

Step-indexed Semantics

• Based on a small-step operational semantics

• Type = set of indexed values

• Semantic approach to typing

• Types are predicates

• Type constructors functions

• Simpler than a cpo-based denotational semantics

• Used as a model for a program logic [Benton ‘05]

“e :k T if e behaves like an element of T for k steps”

21

What We Are Working On• Main goal

• Develop a step-indexed semantics for the imperative object calculus with simple object types

• Proving soundness of the typing rules

• Extensions

• Enriching the type system with:

• Subtyping

• Recursive object types[Reus & Streicher, ‘02] [Schwinghammer, ‘06]

• Impredicative polymorphism

22

• Defining a program logic extending types

• Construct a sound deduction system

• FOL assertions about the store [Benton, ‘05][Abadi & Leino, ‘04] [Podelski & Schaefer ‘05]

• Dependent types+shallow embedding to HOL- e.g. Hoare Type Theory [Nanevski et al., ‘06]

• Local and modular reasoning

• Separation Logic [Reynolds, ‘02]

• ADTs - Idealized ML [Krishnaswami et al., ‘06]

More Possible Extensions

23

Thank you!

24

ReferencesReferences

[1] Mart́ın Abadi and Luca Cardelli. A Theory of Objects. Springer, 1996.

[2] Mart́ın Abadi and K. Rustan M. Leino. A logic of object-oriented programs. In Michel Bidoit andMax Dauchet, editors, Proceedings of Theory and Practice of Software Development, volume1214 of Lecture Notes in Computer Science, pages 682–696. Springer, 1997.

[3] Mart́ın Abadi and K. Rustan M. Leino. A logic of object-oriented programs. In Nachum Der-showitz, editor, Verification: Theory and Practice. Essays Dedicated to Zohar Manna on theOccasion of his 64th Birthday, Lecture Notes in Computer Science, pages 11–41. Springer, 2004.

[4] Amal J. Ahmed, Andrew W. Appel, and Roberto Virga. An indexed model of impredicativepolymorphism and mutable references. Princeton University, January 2003.

[5] Amal J. Ahmed, Matthew Fluet, and Greg Morrisett. A step-indexed model of substructuralstate. In Olivier Danvy and Benjamin C. Pierce, editors, International Conference on FunctionalProgramming (ICFP’05), pages 78–91. ACM Press, 2005.

[6] Andrew W. Appel and David McAllester. An indexed model of recursive types for foundationalproof-carrying code. ACM Transactions on Programming Languages and Systems, 23(5):657–683, September 2001.

[7] Nick Benton. A typed, compositional logic for a stack-based abstract machine. In Zoltan Esik,editor, Asian Symposium on Programming Languages and Systems APLAS’05, volume 3780 ofLecture Notes in Computer Science, pages 182–196. Springer, 2005.

[8] Nick Benton. Abstracting allocation: the new new thing. In Computer Science Logic, volume4207 of Lecture Notes in Computer Science, pages 364–380. Springer, 2006.

[9] Robert W. Floyd. Assigning meanings to programs. In Jacob T. Schwartz, editor, Proceedings ofMathematical Aspects of Computer Science, volume 19 of Proceedings of Symposia in AppliedMathematics, pages 19–32. American Mathematical Society, April 1967.

[10] C. A. R. Hoare. An Axiomatic Basis of Computer Programming. Communications of the ACM,12:576–580, 1969.

[11] Neelakantan R. Krishnaswami, Lars Birkedal, Jonathan Aldrich, and John C. Reynolds. IdealizedML and its separation logic. Submitted, 2006.

[12] Aleksandar Nanevski, Amal Ahmed, Greg Morrisett, and Lars Birkedal. Abstract predicates andmutable adts in hoare type theory. Technical Report TR-14-06, Harvard University, 2006.

[13] Andreas Podelski and Ina Schaefer. Local reasoning for termination. In Workshop on Verificationof Concurrent Systems with Dynamic Allocated Heap (COSMICAH05), Lisabon, July 2005.

[14] Bernhard Reus and Jan Schwinghammer. Denotational semantics for a program logic of objects.Mathematical Structures in Computer Science, 16(2):313–358, April 2006.

[15] Bernhard Reus and Thomas Streicher. Semantics and logic of object calculi. In Proceedingsof 17th Annual IEEE Symposium Logic in Computer Science, pages 113–124. IEEE ComputerSociety Press, 2002.

[16] John C. Reynolds. Separation logic: A logic for shared mutable data structures. In Proceedingsof the 17th IEEE Symposium on Logic in Computer Science, pages 55–74. IEEE ComputerSociety, 2002.

[17] Jan Schwinghammer. Reasoning about Denotations of Recursive Objects. PhD thesis, Depart-ment of Informatics, University of Sussex, 2006.

[18] Francis Tang and Martin Hofmann. Generation of verification conditions for Abadi and Leino’slogic of objects. Presented at 9th International Workshop on Foundations of Object-OrientedLanguages, January 2002.

1

25

References

References

[1] Mart́ın Abadi and Luca Cardelli. A Theory of Objects. Springer, 1996.

[2] Mart́ın Abadi and K. Rustan M. Leino. A logic of object-oriented programs. In Michel Bidoit andMax Dauchet, editors, Proceedings of Theory and Practice of Software Development, volume1214 of Lecture Notes in Computer Science, pages 682–696. Springer, 1997.

[3] Mart́ın Abadi and K. Rustan M. Leino. A logic of object-oriented programs. In Nachum Der-showitz, editor, Verification: Theory and Practice. Essays Dedicated to Zohar Manna on theOccasion of his 64th Birthday, Lecture Notes in Computer Science, pages 11–41. Springer, 2004.

[4] Amal J. Ahmed, Andrew W. Appel, and Roberto Virga. An indexed model of impredicativepolymorphism and mutable references. Princeton University, January 2003.

[5] Amal J. Ahmed, Matthew Fluet, and Greg Morrisett. A step-indexed model of substructuralstate. In Olivier Danvy and Benjamin C. Pierce, editors, International Conference on FunctionalProgramming (ICFP’05), pages 78–91. ACM Press, 2005.

[6] Andrew W. Appel and David McAllester. An indexed model of recursive types for foundationalproof-carrying code. ACM Transactions on Programming Languages and Systems, 23(5):657–683, September 2001.

[7] Nick Benton. A typed, compositional logic for a stack-based abstract machine. In Zoltan Esik,editor, Asian Symposium on Programming Languages and Systems APLAS’05, volume 3780 ofLecture Notes in Computer Science, pages 182–196. Springer, 2005.

[8] Nick Benton. Abstracting allocation: the new new thing. In Computer Science Logic, volume4207 of Lecture Notes in Computer Science, pages 364–380. Springer, 2006.

[9] Robert W. Floyd. Assigning meanings to programs. In Jacob T. Schwartz, editor, Proceedings ofMathematical Aspects of Computer Science, volume 19 of Proceedings of Symposia in AppliedMathematics, pages 19–32. American Mathematical Society, April 1967.

[10] C. A. R. Hoare. An Axiomatic Basis of Computer Programming. Communications of the ACM,12:576–580, 1969.

[11] Neelakantan R. Krishnaswami, Lars Birkedal, Jonathan Aldrich, and John C. Reynolds. IdealizedML and its separation logic. Submitted, 2006.

[12] Aleksandar Nanevski, Amal Ahmed, Greg Morrisett, and Lars Birkedal. Abstract predicates andmutable adts in hoare type theory. Technical Report TR-14-06, Harvard University, 2006.

[13] Andreas Podelski and Ina Schaefer. Local reasoning for termination. In Workshop on Verificationof Concurrent Systems with Dynamic Allocated Heap (COSMICAH05), Lisabon, July 2005.

[14] Bernhard Reus and Jan Schwinghammer. Denotational semantics for a program logic of objects.Mathematical Structures in Computer Science, 16(2):313–358, April 2006.

[15] Bernhard Reus and Thomas Streicher. Semantics and logic of object calculi. In Proceedingsof 17th Annual IEEE Symposium Logic in Computer Science, pages 113–124. IEEE ComputerSociety Press, 2002.

[16] John C. Reynolds. Separation logic: A logic for shared mutable data structures. In Proceedingsof the 17th IEEE Symposium on Logic in Computer Science, pages 55–74. IEEE ComputerSociety, 2002.

[17] Jan Schwinghammer. Reasoning about Denotations of Recursive Objects. PhD thesis, Depart-ment of Informatics, University of Sussex, 2006.

[18] Francis Tang and Martin Hofmann. Generation of verification conditions for Abadi and Leino’slogic of objects. Presented at 9th International Workshop on Foundations of Object-OrientedLanguages, January 2002.

1

26