Post on 22-Mar-2018
Local temporal reasoning
15 July 2014 !
Supported by the Japan Society for the Advancement of Science (JSPS), MEXT Kakenhi, and a grant from the NYU Office of the Provost.
Eric Koskinen Visiting Assistant Professor
New York University
Tachio Terauchi Professor
JAIST
let rec halt _ = halt () and shrink f = if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = let t = *+ in shrink (λ_. t)
let rec halt _ = halt () and shrink f = if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = let t = *+ in shrink (λ_. t)
main X (shrink U halt)
ev[halt];
ev[shrink];
ev[main];Events
let rec halt _ = halt () and shrink f = if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = let t = *+ in shrink (λ_. t)
main shrink λ_.2
shrink λ_.1
shrink λ_.0
halt halt . . .
main shrink λ_.1
shrink λ_.0
halt halt halt . . .
main shrink λ_.0
halt halt halt halt . . .
main shrink λ_.1
shrink λ_.0
halt halt halt . . .
main X (shrink U halt)
let rec halt _ = halt () and shrink f = if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = let t = *+ in shrink (λ_. t)
Infinite state space
Higher Order
Non-determinism
Reachability
main X (shrink U halt)
Termination
No previous technique can prove this property.
Previously: • Expressive logics, but finite data [K/O:LICS’09] • Infinite data, but just safety [Terauchi:POPL’10] • Infinite data, but just termination [K/T/U/K:ESOP’14] • Expressive logics, but first-order programs [CK:PLDI’13]
Terminates or diverges?
Terminates or diverges?
Terminates or diverges?e1 e2
shrink (λ_. t)
(shrink U halt)
Decompose in two ways
!
Temporal behavior as
e1 is reduced
!
Temporal behavior as
e2 is reduced
!
Latent behavior during application
Φ1Φ2
Φ3
1. Divide up program into expressions
�1 · �2 · �3
e1 e2
Γ ⊢Characterize temporal behavior of exprs. via type-and-effect:
Decompose in two ways1. Divide up program into expressions
Typing environment
Dependent Type
Temporal Effect
: τ & Φe1 e2
e1 e2Γ ⊢Characterize temporal behavior of exprs. via type-and-effect:
Decompose in two ways1. Divide up program into expressions
Typing environment
Dependent Type
Temporal Effect
: τ & ΦClosed Under: !
!
!
!
!
e.g. Buchi automata
Union : �1 [ �2
Isect. : �1 \ �2
Comp. : �1 · �2
Decompose in two ways
!
Temporal behavior as
e1 is reduced
!
Temporal behavior as
e2 is reduced
!
Latent behavior during application
Φ1Φ2
Φ3
1. Divide up program into expressions
2. Track behavior of finite traces separate from infinite traces
�1 · �2 · �3
e1 e2
!
Temporal behavior as
e1 is reduced
!
Temporal behavior as
e2 is reduced
!
Latent behavior during application
Φ1,Φ1Φ2,Φ2
Φ3,Φ3
fin inffin inf
fin inf
1. Divide up program into expressions
2. Track behavior of finite traces separate from infinite traces
Decompose in two ways
(�fin1 ,�inf
1 ) · (�fin2 ,�inf
2 ) · (�fin3 ,�inf
3 )
e1 e2
Γ ⊢ e : τ & (Φ , Φ )fin inf
Decompose in two ways1. Divide up program into expressions
2. Track behavior of finite traces separate from infinite traces
let rec halt _ = halt () and shrink f = if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = let t = *+ in shrink (λ_. t)
main X (shrink U halt)
let rec halt _ = halt () and shrink f = if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = let t = *+ in shrink (λ_. t)
(shrink U halt)
shrinkWhalt
Safety: the latent behavior when shrink is applied
Latent Effect
let rec halt _ = halt () and shrink f = if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = let t = *+ in shrink (λ_. t)
(shrink U halt)
Liveness: the conditions under which shrink terminates
shrinkWhalt
Safety: the latent behavior when shrink is applied
refinement types
“all traces exit shrink”
(⊤, F ¬shrink)
let rec halt _ = halt () and shrink f = if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = let t = *+ in shrink (λ_. t)
(shrink U halt)
Liveness
Safety ...
(shrink U halt)
App
Comb
Sub
...
...
Safety via the type systemshrinkWhalt
This arises as a fixpoint solution to the typing context in the judgments over the body of shrink.
First, assume we already an env. Γ such thathalt
let rec halt _ = ev[halt]; halt () and shrink f = ev[shrink]; if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = ev[main]; let t = *+ in shrink (λ_. t)
let rec halt _ = ev[halt]; halt () and shrink f = ev[shrink]; if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = ev[main]; let t = *+ in shrink (λ_. t)
Depending on which branch, either shrink or halt will occur.
shrink ∨ haltValid typing:
Or look at a fixpoint to: α = shrink ∧ X(α ∨ G halt)
let rec halt _ = ev[halt]; halt () and shrink f = ev[shrink]; if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = ev[main]; let t = *+ in shrink (λ_. t)
Or look at a fixpoint to: α = shrink ∧ X(α ∨ G halt)
shrink halt
Careful here. If we don’t know that
funapp terminates...
let rec halt _ = ev[halt]; halt () and shrink f = ev[shrink]; if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = ev[main]; let t = *+ in shrink (λ_. t)
Under what conditions does shrink terminate?
If f is a fun that returns 0, halt will be
invoked
let rec halt _ = ev[halt]; halt () and shrink f = ev[shrink]; if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = ev[main]; let t = *+ in shrink (λ_. t)
If f is a fun that returns 0, halt will be
invoked
Adapt prior work on higher-order termination (ESOP‘2014) to prove conditional higher-order termination.
Under what conditions does shrink terminate?But this is a separate proof
(⊤, F ¬shrink)
let rec halt _ = ev[halt]; halt () and shrink f = ev[shrink]; if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = ev[main]; let t = *+ in shrink (λ_. t)
Adapt prior work on higher-order termination (ESOP‘2014) to prove conditional higher-order termination.
Under what conditions does shrink terminate?
(⊤, F ¬shrink)
let rec halt _ = ev[halt]; halt () and shrink f = ev[shrink]; if ( f() = 0 ) then halt () else shrink (λ_. f() - 1) !and main() = ev[main]; let t = *+ in shrink (λ_. t)
Liveness
Safety ...
(shrink U halt)
App
Comb
Sub
...
...(shrink U halt)
shrinkWhalt
F ¬shrink
Contributions and benefits
• First technique for temporal properties of higher-order, infinite-data programs
• Instantiation to wide variety of spec. logics, Instantiation to type environments, Instantiation to oracles
• Compositional
• Does not require input program in CPS
• First-order interprocedural programs
Language
Inductive big-step semantics for terminating runs:
Co-inductive big-step semantics for non-terminating runs:
Simply typed
Hidden Computation
x:=1; increment(x); x:=-1; F(x < 0)
Our semantics has no infinite, invisible computations.
Language
�fin ::✓ ⌃⇤
�inf ::✓ ⌃!
� ::= (�fin,�inf)
B ::= int | bool | unit
⌧,� ::= {u :B | ✓} | x :� ��! ⌧
Trace set operations(�fin
1 ,�inf1 ) [ (�fin
2 ,�inf2 ) = (�fin
1 [ �fin2 ,�inf
1 [ �inf2 )
(�fin1 ,�inf
1 ) \ (�fin2 ,�inf
2 ) = (�fin1 \ �fin
2 ,�inf1 \ �inf
2 )
(�fin1 ,�inf
1 ) · (�fin2 ,�inf
2 ) = (�fin1 · �fin
2 ,�inf1 [ (�fin
1 · �inf2 )
(�fin1 ,�inf
1 ) ✓ (�fin2 ,�inf
2 ) = �fin1 ✓ �fin
2 ^ �inf1 ✓ �inf
2 )
Type-and-effect
Suppose
Then
type & effect
SoundnessSemantics of Type and Effect
Oracle Conditions
Soundnesssimply typed
For any e in P
Examples
• Modular reasoning
• Nesting G within F, nesting U within G
• Oracles for Termination, Non-termination
• Dependent typing (e.g. bar x returns non-positive)
• Type system fix points