Relational Logic with Framing and Hypotheses

Relational properties arise in many settings: relating two versions of a program that use different data representations, noninterference properties for security, etc. The main ingredient of relational verification, relating aligned pairs of intermediate steps, has been used in numerous guises, but existing relational program logics are narrow in scope. This paper introduces a logic based on novel syntax that weaves together product programs to express alignment of control flow points at which relational formulas are asserted. Correctness judgments feature hypotheses with relational specifications, discharged by a rule for the linking of procedure implementations. The logic supports reasoning about program-pairs containing both similar and dissimilar control and data structures. Reasoning about dynamically allocated objects is supported by a frame rule based on frame conditions amenable to SMT provers. We prove soundness and sketch how the logic can be used for data abstraction, loop optimizations, and secure information flow

CLASS: A Logical Foundation for Typeful Programming with Shared State

Software construction depends on imperative state sharing and concurrency, which are naturally present in several application domains and are also exploited to improve the structure and efficiency of computer programs. However, reasoning about concurrency and shared mutable state is hard, error-prone and the source of many programming bugs, such as memory leaks, data corruption, deadlocks and non-termination. In this thesis, we develop CLASS: a core session-based language with a lightweight substructural type system, that results from a principled extension of the propositions-astypes correspondence with second-order classical linear logic. More concretely, CLASS offers support for session-based communication, mutex-protected first-class reference cells, dynamic state sharing, generic polymorphic algorithms, data abstraction and primitive recursion. CLASS expresses and types significant realistic programs, that manipulate memoryefficient linked data structures (linked lists, binary search trees) with support for updates in-place, shareable concurrent ADTs (counters, stacks, functional and imperative queues), resource synchronisation methods (fork-joins, barriers, dining philosophers, generic corecursive protocols). All of these examples are guaranteed to be safe, a result that follows by the logical approach. The linear logical foundations guarantee that well-typed CLASS programs do not go wrong: they never deadlock on communication or reference cell acquisition, do not leak memory and always terminate, even if they share complex data structures protected by synchronisation primitives. Furthermore, since we follow a propositions-as-types approach, we can reason about the behaviour of concurrent stateful processes by algebraic program manipulation. The feasibility of our approach is witnessed by the implementation of a type checker and interpreter for CLASS, which validates and guides the development of many realistic programs. The implementation is available with an open-source license, together with several examples.A construção de software depende de estado partilhado imperativo e concorrência, que estão naturalmente presentes em vários domínios de aplicação e que também são explorados para melhorar o a estrutura e o desempenho dos programas. No entanto, raciocinar sobre concorrência e estado mutável partilhado é difícil e propenso à introdução de erros e muitos bugs de programação, tais como fugas de memória, corrupção de dados, programas bloqueados e programas que não terminam a sua execução. Nesta tese, desenvolvemos CLASS: uma linguagem baseada em sessões, com um sistema de tipos leve e subestrutural, que resulta de uma extensão metodológica da correspondência proposições-como-tipos com a lógica linear clássica de segunda ordem. Mais concretamente, a linguagem CLASS oferece suporte para comunicação baseada em sessões, células de memória protegidas com mutexes de primeira classe, partilha dinâmica de estado, algoritmos polimórficos genéricos, abstração de dados e recursão primitiva. A linguagem CLASS expressa e tipifica programas realistas significativos, que manipulam estruturas de dados ligadas eficientes (listas ligadas, árvores de pesquisa binária) suportando actualização imperativa local, TDAs partilhados e concorrentes (contadores, pilhas, filas funcionais e imperativas), métodos de sincronização e partilha de recursos (bifurcar-juntar, barreiras, jantar de filósofos, protocolos genéricos corecursivos). Todos estes exemplos são seguros, uma garantia que resulta da nossa abordagem lógica. Os fundamentos, baseados na lógica linear, garantem que programas em CLASS bem tipificados não incorrem em erros: nunca bloqueiam, quer na comunicação, quer na aquisição de células de memória, nunca causam fugas de memória e terminam sempre, mesmo que compartilhem estruturas de dados complexas protegidas por primitivas de sincronização. Além disso, uma vez que seguimos uma abordagem de proposições-comotipos, podemos raciocinar sobre o comportamento de processos concorrentes, que usam estado, através de manipulação algébrica. A viabilidade da nossa abordagem é evidenciada pela implementação de um verificador de tipos e interpretador para a linguagem CLASS, que valida e orienta o desenvolvimento de vários programs realistas. A implementação está disponível com uma licença de acesso livre, juntamente com inúmeros exemplos

A Relational Logic for Higher-Order Programs

Relational program verification is a variant of program verification where one can reason about two programs and as a special case about two executions of a single program on different inputs. Relational program verification can be used for reasoning about a broad range of properties, including equivalence and refinement, and specialized notions such as continuity, information flow security or relative cost. In a higher-order setting, relational program verification can be achieved using relational refinement type systems, a form of refinement types where assertions have a relational interpretation. Relational refinement type systems excel at relating structurally equivalent terms but provide limited support for relating terms with very different structures. We present a logic, called Relational Higher Order Logic (RHOL), for proving relational properties of a simply typed $\lambda$-calculus with inductive types and recursive definitions. RHOL retains the type-directed flavour of relational refinement type systems but achieves greater expressivity through rules which simultaneously reason about the two terms as well as rules which only contemplate one of the two terms. We show that RHOL has strong foundations, by proving an equivalence with higher-order logic (HOL), and leverage this equivalence to derive key meta-theoretical properties: subject reduction, admissibility of a transitivity rule and set-theoretical soundness. Moreover, we define sound embeddings for several existing relational type systems such as relational refinement types and type systems for dependency analysis and relative cost, and we verify examples that were out of reach of prior work.Comment: Submitted to ICFP 201

Decomposing Logical Relations with Forcing

Logical relations have now the maturity to deal with program equivalence for realistic programming languages with features likes recursive types, higher-order references and first-class continuations. However, such advanced logical relations---which are defined with technical developments like step-indexing or heap abstractions using recursively defined worlds---can make a proof tedious. A lot of work has been done to hide step-indexing in proofs, using Gödel-Löb logic. But to date, step-indexes have still to appear explicitely in particular constructions, for instance when building recursive worlds in a stratified way. In this paper, we go one step further, proposing an extension of Abadi-Plotkin logic with forcing construction which enables to encapsulate reasoning about step-indexing or heap in different layers. Moreover, it gives a uniform and abstract management of step-indexing for recursive terms or types and for higher-order references

First steps in synthetic guarded domain theory: step-indexing in the topos of trees

We present the topos S of trees as a model of guarded recursion. We study the internal dependently-typed higher-order logic of S and show that S models two modal operators, on predicates and types, which serve as guards in recursive definitions of terms, predicates, and types. In particular, we show how to solve recursive type equations involving dependent types. We propose that the internal logic of S provides the right setting for the synthetic construction of abstract versions of step-indexed models of programming languages and program logics. As an example, we show how to construct a model of a programming language with higher-order store and recursive types entirely inside the internal logic of S. Moreover, we give an axiomatic categorical treatment of models of synthetic guarded domain theory and prove that, for any complete Heyting algebra A with a well-founded basis, the topos of sheaves over A forms a model of synthetic guarded domain theory, generalizing the results for S

ReLoC Reloaded:A Mechanized Relational Logic for Fine-Grained Concurrency and Logical Atomicity

We present a new version of ReLoC: a relational separation logic for proving refinements of programs with higher-order state, fine-grained concurrency, polymorphism and recursive types. The core of ReLoC is its refinement judgment $e \precsim e' : \tau$, which states that a program $e$ refines a program $e'$ at type $\tau$. ReLoC provides type-directed structural rules and symbolic execution rules in separation-logic style for manipulating the judgment, whereas in prior work on refinements for languages with higher-order state and concurrency, such proofs were carried out by unfolding the judgment into its definition in the model. ReLoC's abstract proof rules make it simpler to carry out refinement proofs, and enable us to generalize the notion of logically atomic specifications to the relational case, which we call logically atomic relational specifications. We build ReLoC on top of the Iris framework for separation logic in Coq, allowing us to leverage features of Iris to prove soundness of ReLoC, and to carry out refinement proofs in ReLoC. We implement tactics for interactive proofs in ReLoC, allowing us to mechanize several case studies in Coq, and thereby demonstrate the practicality of ReLoC. ReLoC Reloaded extends ReLoC (LICS'18) with various technical improvements, a new Coq mechanization, and support for Iris's prophecy variables. The latter allows us to carry out refinement proofs that involve reasoning about the program's future. We also expand ReLoC's notion of logically atomic relational specifications with a new flavor based on the HOCAP pattern by Svendsen et al

SyTeCi: Automating Contextual Equivalence for Higher-Order Programs with References

International audienc