Deriving a Hoare-Floyd logic for non-local jumps from a formulae-as-types notion of control

arXiv:1112.2950v1 [cs.LO] 13 Dec 2011 Deriving a Hoare-Floyd logic for non-local jumps from a formulæ-as-types notion of control Tristan Crolard Emmanuel Polonowski LACL – Universit´e Paris-Est, France {crolard,polonowski}@u-pec.fr Abstract We derive a Hoare-Floyd logic for non-local jumps and mutable higher-orderprocedural variables from a formulæ-as-types notion of control for classical logic. The main contribution of this work is the design of an imperative dependent type system for non-local jumps which corresponds to classical logic but where the famous consequence rule is still derivable. Hoare-Floyd logics for non-local jumps are notoriously difficult to obtain, especially in the presence of local mutable variables [7]. As far as we know, the question of proving the correctness of imperative programs which combine local mutable higher-order procedural variables and non-local jumps has not even been addressed. On the other hand, we know since Griffin’s pioneering work [3] how to prove the correctness of (higher-order) functional programs with control in direct style, thanks to the formulæ-as- types interpretation of classical logic. In [1], Chapter 3, we have thus extended the formulæ-as-types notion of control to imperative pro- grams with higher-order procedural mutable variables and non-local jumps. Our technique, which was inspired by Landin’s seminal paper [4], consists in defining an imperative dependent type system ID by translation into a functional dependent type system (which is actually Leivant’s ML1P [5]). This imperative language, called LOOPω, was defined by the authors in [2]. Similarly to ML1P, the imperative type system is parametrized by a first-order signature and an equational system E which defines a set of functions in the style of Herbrand-G¨odel. The syntax of imperative types of ID (with dependent procedure types and dependent records) is the following: σ,τ : : = nat(n) | proc ∀⃗ı(in⃗τ;out ⃗σ) | ∃⃗ı(σ1,...,σn) | n = m Typing judgements of ID have the form Γ;Ω⊢e : ψ if e is an expression and Γ;Ω⊢s ⊲Ω′ if s is a sequence, where environments Γ and Ωcorresponds respectively to immutable and mutable variables. Note that our type system is pseudo-dynamic in the sense that the type of mutable variables can change in a sequence and the new types are given by Ω′ (as in [8]). For instance, here is the typing rule of the for loop: Γ;Ω,⃗x : ⃗σ[0/i] ⊢e : nat(n) Γ,y : nat(i);⃗x : ⃗σ ⊢s ⊲⃗x : ⃗σ[s(i)/i] Γ;Ω,⃗x : ⃗σ[0/i] ⊢for y := 0 until e {s}⃗x ⊲⃗x : ⃗σ[n/i] Embedding a Hoare-Floyd logic It is almost straightforward to embed a Hoare-Floyd logic into ID. Indeed, let us take a global mutable variable, dubbed assert, and let us assume that this global variable is simulated in the usual state-passing style (the variable is passed as an explicit in and out parameter to each procedure call). Consequently, any sequence shall be typed with a sequent of the form Γ;Ω,assert : ϕ ⊢s ⊲Ω′,assert : ψ. If we now introduce the usual Hoare notation for triples (which hides the name of global variable assert), we obtain judgments of the form Γ;Ω⊢{ϕ}s ⊲Ω′{ψ}. Rules very similar to Hoare rules are then derivable: for instance, the type of assert corresponds to the invariant in a loop, and to the type of pre 1 Deriving a Hoare-Floyd logic for non-local jumps T. Crolard and E. Polonowski and post conditions in a procedure type. The only rule which is not directly derivable is the well-known consequence rule: Γ,Ω⊢ϕ′ ⇒ϕ Γ;Ω⊢{ϕ}s ⊲Ω′{ψ} Γ,Ω⊢ψ ⇒ψ′ Γ;Ω⊢{ϕ′}s ⊲Ω′{ψ′} This rule deserves a specific treatment since no proof-term is required for the proof obligations. However, it is well-known that in intuitionistic logic the proof of some formulas have no computational content (they are called data-mute in [5]). The consequence rule is thus derivable if we restrict (without loss of generality) the set of assertions to data-mute formulas. Non-local jumps The imperative language was then extended in [1] with labels and non-local jumps. At the (dependent) type level, this extension (called IDc) corresponds to an extension from intuitionistic logic to classical logic. For instance, the following typing rules for labels and jumps are derivable (where first-class labels are typed by the negation): Γ,k : ¬⃗σ;⃗z :⃗τ ⊢s ⊲⃗z : ⃗σ Γ;Ω,⃗z : ⃗σ ⊢s′ ⊲Ω′ Γ;Ω,⃗z :⃗τ ⊢k : {s}⃗z; s′ ⊲Ω′ Γ;Ω,⃗z :⃗τ ⊢k : ¬⃗σ Γ;Ω,⃗z :⃗τ ⊢⃗e : ⃗σ Γ;Ω,⃗z :⃗τ ⊢jump(k,⃗e)⃗z ⊲⃗z :⃗τ′ However, deriving a Hoare-Floyd logic for non-local jumps is not straightforward since there is no ob- vious notion of data-mute formula in classical logic (as noted also in [6]), and thus the consequence rule is in general not derivable. The problem comes from the fact that, in presence of control operators, the proof-terms corresponding to proof-obligations may interact with the program. We shall exhibit an example of such program and we shall present a general solution to this problem which relies on the distinction between purely functional terms and imperative procedures (possibly cont

This content is AI-processed based on open access ArXiv data.